pptx
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The
unpack.pyscript is vulnerable to a Zip Slip attack. \n - Evidence: File
ooxml/scripts/unpack.pyuseszipfile.ZipFile(input_file).extractall(output_path). This function does not securely validate that the paths within the ZIP archive are contained within the target directory, potentially allowing an attacker to overwrite critical system files or scripts (e.g.,.bashrc) if the agent processes a malicious document. \n- [DATA_EXFILTRATION] (HIGH): Potential XML External Entity (XXE) vulnerability in document validation. \n - Evidence: File
ooxml/scripts/validation/docx.pyuseslxml.etree.parse()to process XML files from the unpacked document.lxmldoes not disable the resolution of external entities by default. An attacker could craft adocument.xmlcontaining a malicious DTD to read local files or perform Server-Side Request Forgery (SSRF). \n- [COMMAND_EXECUTION] (MEDIUM): Subprocess execution of LibreOffice (soffice) inooxml/scripts/pack.py. \n - Evidence: File
ooxml/scripts/pack.pyexecutes thesofficecommand to validate documents. While the command is constructed as a list, processing untrusted, complex file formats through a large office suite increases the attack surface for secondary vulnerabilities. \n- [REMOTE_CODE_EXECUTION] (HIGH): Indirect Prompt Injection Surface. \n - Ingestion points:
ooxml/scripts/unpack.pyingests untrusted.docx,.pptx, and.xlsxfiles from external sources. \n - Boundary markers: None identified. \n
- Capability inventory: File system write access and external command execution (
subprocess.run). \n - Sanitization: Inconsistent. While
defusedxmlis used in some scripts, rawlxmlis used in validation logic, and Zip archive members are not sanitized.
Recommendations
- AI detected serious security threats
Audit Metadata