Skills
skills/zpankz/mcp-skillset/pptx/Gen Agent Trust Hub

pptx

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (LOW): The pack.py script invokes the 'soffice' (LibreOffice) binary via subprocess.run to validate documents. While it uses argument lists to avoid shell injection, it introduces a dependency on an external system tool.
  • [DATA_EXPOSURE] (LOW): The unpack.py script uses zipfile.extractall(), which is vulnerable to path traversal (ZipSlip) if an attacker provides a malicious Office file containing relative path components like '../'.
  • [DYNAMIC_EXECUTION] (LOW): In docx.py, the use of lxml.etree.parse() without explicitly disabling external entity resolution poses a potential risk for XML External Entity (XXE) attacks, though the skill elsewhere uses the safer defusedxml library.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:32 PM