Security Audit

pptx

github.com/anthropics/skills

AI SkillCommit 1ed29a03dc85

CRITICAL

Scanned 8 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 25 findings: 8 critical, 11 high, 5 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.

The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit 1ed29a03). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

39%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

5 findings

Shell Execution

18 findings

Dynamic Code

6 findings

Excessive Permissions

3 findings

Security Findings25

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:14
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:37
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:59
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:138
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:167
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:161
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:178
CRITICAL	Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:25
HIGH	Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:25
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/pack.py:117
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:37
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:59
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:138
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:167
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:161
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:178
HIGH	Zip Slip vulnerability in Office file unpacker The `unpack.py` script uses `zipfile.ZipFile.extractall()` with user-controlled input (`input_file`). A malicious Office file (which is a ZIP archive) could contain paths like `../../etc/passwd`, allowing an attacker to write arbitrary files to the filesystem outside the intended `output_directory`. This can lead to arbitrary file write, potentially compromising the system. Modify the `unpack` function to iterate through each member of the zip archive and extract it safely, ensuring that the extracted path does not escape the target directory. Alternatively, use a library or function that provides built-in Zip Slip protection.	Unknown	scripts/office/unpack.py:37
HIGH	XML External Entity (XXE) Injection in XML parsing for redline simplification The `simplify_redlines.py` script uses `xml.etree.ElementTree.parse()` to parse XML content from `document.xml` within an unpacked Office file. This XML content is derived from user-provided Office files. `xml.etree.ElementTree` is vulnerable to XML External Entity (XXE) attacks, which could allow an attacker to read arbitrary files from the server, perform Server-Side Request Forgery (SSRF), or cause a denial of service. While `defusedxml` is used in other parts of the skill for XML parsing, it is not consistently applied here. Replace `xml.etree.ElementTree` with `defusedxml.ElementTree` for parsing XML content derived from untrusted sources. If `xml.etree.ElementTree` must be used, configure its parser to explicitly disable DTD processing and external entity resolution (e.g., `parser = ET.XMLParser(); parser.resolvers.add(ET.DTD_NO_NETWORK); tree = ET.parse(xml_file, parser)`).	Unknown	scripts/office/helpers/simplify_redlines.py:146
HIGH	Path traversal vulnerability in slide duplication The `add_slide.py` script uses `shutil.copy2(source_slide, dest_slide)` where `source_slide` is constructed from user-controlled input (`source`). If `source` contains path traversal sequences (e.g., `../../etc/passwd`), an attacker could read or overwrite arbitrary files on the system. The script checks `source_slide.exists()` but does not validate if `source_slide` is within the expected `unpacked_dir`. Implement strict validation and sanitization of the `source` argument to prevent path traversal. Ensure that the resolved path of `source_slide` is strictly contained within the `unpacked_dir` before performing any file operations. For example, resolve both paths to their absolute forms and check if `source_slide` starts with `unpacked_dir`.	Unknown	scripts/add_slide.py:64
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/clean.py:14
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/pptx.py:207
MEDIUM	Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:18
MEDIUM	Potential command injection in `thumbnail.py` via external tools The `thumbnail.py` script executes external commands (`soffice` and `pdftoppm`) using `subprocess.run` with arguments derived from user-controlled input (`args.input`). While `subprocess.run` with a list of arguments is generally safer than a shell string, a maliciously crafted filename (e.g., containing special characters or options interpreted by `soffice` or `pdftoppm`) could potentially lead to unintended command execution or file manipulation if these tools have vulnerabilities in argument parsing. Implement strict validation and sanitization of filenames derived from user input before passing them to external commands. Consider using a whitelist of allowed characters for filenames or ensuring that filenames are properly quoted if passed as part of a shell command (though `subprocess.run` with a list avoids shell interpretation for the arguments themselves, the values of the arguments can still be interpreted by the target program).	Unknown	scripts/thumbnail.py:118
MEDIUM	Use of `LD_PRELOAD` for sandbox circumvention The `soffice.py` script dynamically compiles and uses an `LD_PRELOAD` shim (`lo_socket_shim.so`) to modify `socket` and `close` calls for `soffice`. While this is intended to work around sandboxing limitations, `LD_PRELOAD` is a powerful mechanism that can be abused to inject arbitrary code into processes. If there's any vulnerability in the shim's C code or the way it's compiled/loaded, it could lead to privilege escalation or sandbox escape. The script controls the shim's source and path, but the use of such a technique is inherently high-risk. Re-evaluate the necessity of using `LD_PRELOAD`. If absolutely required, ensure the C shim code is thoroughly audited for vulnerabilities. Consider if alternative, less privileged methods exist to achieve the desired functionality within sandboxed environments.	Unknown	scripts/office/soffice.py:20
LOW	Global npm package installation The `SKILL.md` instructs the agent to perform a global `npm install -g pptxgenjs`. Global installations can sometimes lead to permission issues, conflicts with other globally installed packages, or make it harder to manage dependencies in a reproducible way. While `pptxgenjs` itself might be benign, relying on global installs for skill dependencies can introduce subtle supply chain risks if not carefully managed. Prefer local package installations (e.g., `npm install pptxgenjs` within the skill's directory) or containerized environments to isolate dependencies and prevent global system pollution.	Unknown	SKILL.md:79

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a83a2070d8fbae49.svg)](https://skillshield.io/report/a83a2070d8fbae49)