Trust Assessment
pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 25 findings: 8 critical, 11 high, 5 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 1ed29a03). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings25
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:14 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:37 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:138 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:167 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:161 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:178 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:25 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:25 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/pack.py:117 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:138 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/redlining.py:167 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:161 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/thumbnail.py:178 | |
| HIGH | Zip Slip vulnerability in Office file unpacker The `unpack.py` script uses `zipfile.ZipFile.extractall()` with user-controlled input (`input_file`). A malicious Office file (which is a ZIP archive) could contain paths like `../../etc/passwd`, allowing an attacker to write arbitrary files to the filesystem outside the intended `output_directory`. This can lead to arbitrary file write, potentially compromising the system. Modify the `unpack` function to iterate through each member of the zip archive and extract it safely, ensuring that the extracted path does not escape the target directory. Alternatively, use a library or function that provides built-in Zip Slip protection. | Unknown | scripts/office/unpack.py:37 | |
| HIGH | XML External Entity (XXE) Injection in XML parsing for redline simplification The `simplify_redlines.py` script uses `xml.etree.ElementTree.parse()` to parse XML content from `document.xml` within an unpacked Office file. This XML content is derived from user-provided Office files. `xml.etree.ElementTree` is vulnerable to XML External Entity (XXE) attacks, which could allow an attacker to read arbitrary files from the server, perform Server-Side Request Forgery (SSRF), or cause a denial of service. While `defusedxml` is used in other parts of the skill for XML parsing, it is not consistently applied here. Replace `xml.etree.ElementTree` with `defusedxml.ElementTree` for parsing XML content derived from untrusted sources. If `xml.etree.ElementTree` must be used, configure its parser to explicitly disable DTD processing and external entity resolution (e.g., `parser = ET.XMLParser(); parser.resolvers.add(ET.DTD_NO_NETWORK); tree = ET.parse(xml_file, parser)`). | Unknown | scripts/office/helpers/simplify_redlines.py:146 | |
| HIGH | Path traversal vulnerability in slide duplication The `add_slide.py` script uses `shutil.copy2(source_slide, dest_slide)` where `source_slide` is constructed from user-controlled input (`source`). If `source` contains path traversal sequences (e.g., `../../etc/passwd`), an attacker could read or overwrite arbitrary files on the system. The script checks `source_slide.exists()` but does not validate if `source_slide` is within the expected `unpacked_dir`. Implement strict validation and sanitization of the `source` argument to prevent path traversal. Ensure that the resolved path of `source_slide` is strictly contained within the `unpacked_dir` before performing any file operations. For example, resolve both paths to their absolute forms and check if `source_slide` starts with `unpacked_dir`. | Unknown | scripts/add_slide.py:64 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/clean.py:14 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/validators/pptx.py:207 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-dhrmpczq/repo/skills/pptx/scripts/office/soffice.py:18 | |
| MEDIUM | Potential command injection in `thumbnail.py` via external tools The `thumbnail.py` script executes external commands (`soffice` and `pdftoppm`) using `subprocess.run` with arguments derived from user-controlled input (`args.input`). While `subprocess.run` with a list of arguments is generally safer than a shell string, a maliciously crafted filename (e.g., containing special characters or options interpreted by `soffice` or `pdftoppm`) could potentially lead to unintended command execution or file manipulation if these tools have vulnerabilities in argument parsing. Implement strict validation and sanitization of filenames derived from user input before passing them to external commands. Consider using a whitelist of allowed characters for filenames or ensuring that filenames are properly quoted if passed as part of a shell command (though `subprocess.run` with a list avoids shell interpretation for the arguments themselves, the *values* of the arguments can still be interpreted by the target program). | Unknown | scripts/thumbnail.py:118 | |
| MEDIUM | Use of `LD_PRELOAD` for sandbox circumvention The `soffice.py` script dynamically compiles and uses an `LD_PRELOAD` shim (`lo_socket_shim.so`) to modify `socket` and `close` calls for `soffice`. While this is intended to work around sandboxing limitations, `LD_PRELOAD` is a powerful mechanism that can be abused to inject arbitrary code into processes. If there's any vulnerability in the shim's C code or the way it's compiled/loaded, it could lead to privilege escalation or sandbox escape. The script controls the shim's source and path, but the use of such a technique is inherently high-risk. Re-evaluate the necessity of using `LD_PRELOAD`. If absolutely required, ensure the C shim code is thoroughly audited for vulnerabilities. Consider if alternative, less privileged methods exist to achieve the desired functionality within sandboxed environments. | Unknown | scripts/office/soffice.py:20 | |
| LOW | Global npm package installation The `SKILL.md` instructs the agent to perform a global `npm install -g pptxgenjs`. Global installations can sometimes lead to permission issues, conflicts with other globally installed packages, or make it harder to manage dependencies in a reproducible way. While `pptxgenjs` itself might be benign, relying on global installs for skill dependencies can introduce subtle supply chain risks if not carefully managed. Prefer local package installations (e.g., `npm install pptxgenjs` within the skill's directory) or containerized environments to isolate dependencies and prevent global system pollution. | Unknown | SKILL.md:79 |
Scan History
Embed Code
[](https://skillshield.io/report/a83a2070d8fbae49)
Powered by SkillShield