Skills
skills/zhangzhengeric/sage/ppt-maker/Gen Agent Trust Hub

ppt-maker

Pass

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]:
  • The scripts/ppt_to_images.py script executes the system command soffice (LibreOffice) to convert PowerPoint files into PDF format as a precursor to image generation.
  • The command is invoked via subprocess.run using a list of arguments, which is a standard practice to prevent shell injection, though it still involves executing an external binary with user-influenced paths.
  • [DATA_EXFILTRATION]:
  • In scripts/html_to_ppt.py, the logic for processing ppt-image tags uses the src attribute without sanitizing it for path traversal sequences like ../. This could potentially be exploited to reference local files outside the intended project directory.
  • In scripts/get_template.py, the --theme argument is used to construct a local file path using os.path.join. Without proper validation, this could allow an attacker to attempt to read arbitrary JSON files from the filesystem by manipulating the theme name input.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 1, 2026, 09:55 AM