pptx
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the execution of several local Python and JavaScript scripts to perform core tasks, including unpacking OOXML files, generating thumbnails, and replacing presentation text.
- [COMMAND_EXECUTION]: The instructions include high-privilege system commands using
sudoto install system-level dependencies such aslibreofficeandpoppler-utils. - [COMMAND_EXECUTION]: The skill invokes external system binaries like
soffice(LibreOffice) for PDF conversion andpdftoppmfor image generation from PDF files. - [EXTERNAL_DOWNLOADS]: Multiple external packages are downloaded and installed from public registries (PyPI and NPM) as part of the skill setup, including
markitdown,pptxgenjs, andplaywright. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external
.pptxfiles. - Ingestion points: Content is extracted from user-provided PowerPoint files via
markitdownand raw XML unpacking from the.pptx(ZIP) archive. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat the extracted text as untrusted data rather than instructions.
- Capability inventory: The skill possesses significant capabilities, including executing local scripts, running system binaries, and modifying the local filesystem.
- Sanitization: While the skill recommends
defusedxmlfor secure XML parsing, this only protects against XML-level attacks (like XXE) and does not prevent the agent from following malicious instructions embedded within the slide text.
Recommendations
- AI detected serious security threats
Audit Metadata