Trust Assessment
pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 5 critical, 7 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx-official/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx-official/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx-official/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx-official/scripts/thumbnail.py:219 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx-official/scripts/thumbnail.py:237 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx-official/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx-official/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx-official/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx-official/scripts/thumbnail.py:219 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx-official/scripts/thumbnail.py:237 | |
| HIGH | Zip Slip Vulnerability in File Extraction The `ooxml/scripts/unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)` to extract archive contents. If `input_file` is an untrusted ZIP archive (e.g., provided by a malicious user), it can contain files with directory traversal sequences (e.g., `../../malicious.txt`). When extracted, these files could be written to arbitrary locations on the filesystem outside the intended `output_path`, potentially overwriting critical system files, creating executable files in sensitive directories, or exfiltrating data by writing to accessible locations. The skill explicitly instructs the LLM to use this script with `<office_file>` which could be user-provided. Implement a secure extraction process that validates each file path within the archive to prevent directory traversal. Ensure that the resolved path for each extracted member does not escape the designated `output_path`. | LLM | ooxml/scripts/unpack.py:14 | |
| HIGH | Arbitrary HTML/JavaScript Execution via Playwright The `scripts/html2pptx.js` script uses `playwright` to launch `chromium` and load an HTML file (`htmlFilePath`) via `page.goto(htmlFilePath)`. The skill instructs the LLM to 'Create an HTML file for each slide' and then process it. If the content of this HTML file is derived from untrusted user input, a malicious user could inject arbitrary HTML and JavaScript. While `page.evaluate` itself uses static code, the rendering of arbitrary HTML/JS in `chromium` presents a significant attack surface. A browser vulnerability or misconfiguration could allow sandbox escapes, leading to arbitrary code execution on the host system, or data exfiltration from the browser's context (e.g., cookies, local storage, or even local file access if the browser is run without proper sandboxing or has a vulnerability). If HTML content is derived from untrusted sources, it must be rigorously sanitized before being passed to `playwright`. Consider running `chromium` in a highly restricted, isolated environment (e.g., a container or VM) with minimal privileges and network access. Ensure Playwright is configured with maximum security settings (e.g., disabling extensions, running in headless mode, strict sandboxing). | LLM | scripts/html2pptx.js:100 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | External Binary Execution and Dependency Risk The skill relies on external binaries (`soffice` in `ooxml/scripts/pack.py` and `git` in `ooxml/scripts/validation/redlining.py`) executed via `subprocess.run`. While arguments are passed as lists to prevent shell injection, the execution of these external programs introduces a dependency risk. If these binaries are not present, are outdated, or contain vulnerabilities, they could be exploited. Specifically, `soffice` processes complex office document formats, which are a common target for exploits. Processing untrusted documents with `soffice` could lead to arbitrary code execution if a vulnerability exists in `soffice` itself. The reliance on `git` for text differencing is less critical but still an external dependency. The skill's manifest does not explicitly list these external binary dependencies, which is a supply chain risk. Explicitly list all external binary dependencies. Ensure they are installed from trusted sources and kept up-to-date. Consider using containerized environments to isolate the execution of these commands and limit their privileges, especially for `soffice` when processing untrusted input. | LLM | ooxml/scripts/pack.py:104 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/9ef1c62f446f1bc2)
Powered by SkillShield