Trust Assessment
pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 17 findings: 6 critical, 8 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings17
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx/scripts/thumbnail.py:219 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/document-processing/pptx/scripts/thumbnail.py:237 | |
| CRITICAL | `html2pptx.js` allows arbitrary file read and potential browser exploits The `html2pptx.js` script uses `playwright` to render HTML content. The `htmlFilePath` (implicitly derived from the input HTML file) and image `el.src` attributes can be controlled by the user. Loading arbitrary local HTML files via `page.goto(fileURL)` allows the HTML to potentially read local files using `file://` URLs, make unauthorized network requests, or exploit browser vulnerabilities within the `chromium` context. Furthermore, the explicit handling of `file://` URLs for image `el.src` attributes means a malicious `el.src` (e.g., `file:///etc/passwd`) could cause `sharp` to read sensitive local files and potentially embed them into the generated PPTX or exfiltrate them. 1. **HTML Rendering**: Render HTML in a highly isolated and sandboxed environment. Strictly validate and sanitize all HTML input to prevent XSS and other browser-based attacks. Consider disallowing direct loading of arbitrary local HTML files. 2. **File URLs**: Implement strict validation for `file://` URLs in image sources to ensure they only point to allowed directories or files, or disallow them entirely. Prevent path traversal sequences (`..`, absolute paths) in `el.src` values. | LLM | scripts/html2pptx.js:170 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx/scripts/thumbnail.py:219 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/document-processing/pptx/scripts/thumbnail.py:237 | |
| HIGH | `pack.py` vulnerable to command injection via output filename The `pack.py` script uses `subprocess.run` to execute the external `soffice` command for document validation. The `doc_path` argument passed to `soffice` is derived from `output_file`, which is directly taken from user-controlled command-line arguments (`sys.argv[2]`). Although `subprocess.run` is used with a list of arguments (which generally prevents shell injection), a specially crafted `output_file` name (e.g., one starting with `--` or containing characters interpreted as commands by `soffice`) could potentially lead to unintended command execution or manipulation of `soffice`'s behavior. Strictly validate and sanitize the `output_file` argument to ensure it is a safe and valid filename before passing it to `subprocess.run`. Consider using `shlex.quote` if the command were to be executed via `shell=True`, or ensure `soffice` is run in a highly sandboxed environment. | LLM | ooxml/scripts/pack.py:90 | |
| HIGH | `thumbnail.py` vulnerable to command injection via input filename The `thumbnail.py` script uses `subprocess.run` to execute external commands (`soffice` and `convert` from ImageMagick). The `input_path` argument for `soffice` is directly taken from user-controlled command-line arguments (`sys.argv[1]`). Similar to `pack.py`, a malicious `input_path` (e.g., containing shell metacharacters or specially crafted options for `soffice` or `convert`) could lead to unintended command execution or manipulation of the external tools' behavior. Strictly validate and sanitize the `input_path` argument to ensure it is a safe and valid filename before passing it to `subprocess.run`. Ensure `soffice` and `convert` are configured to run in a highly sandboxed environment if possible. | LLM | scripts/thumbnail.py:160 | |
| HIGH | `unpack.py` vulnerable to Zip Slip via `extractall` The `unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)` to extract the contents of a `.pptx` file. The `input_file` is directly taken from user-controlled command-line arguments (`sys.argv[1]`). If a malicious `.pptx` file (which is a ZIP archive) contains entries with path traversal sequences (e.g., `../../../../etc/passwd`), `extractall` could write files outside the intended `output_path`. This could lead to arbitrary file overwrite, creation of malicious files in sensitive system locations, or data corruption. Avoid using `extractall()` with untrusted archives. Instead, iterate through each member of the zip file, validate its name to prevent path traversal (e.g., check for `..` or absolute paths), and then extract it to a safe, controlled location within the `output_path`. | LLM | ooxml/scripts/unpack.py:14 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned external dependencies introduce supply chain risks The skill relies on several external Python and JavaScript libraries (`markitdown`, `Sharp`, `PptxGenJS`, `playwright`, `sharp`, `Pillow`, `python-pptx`, `lxml`, `defusedxml`, `six`) and external system commands (`soffice`, `convert`). The `SKILL.md` and Python/JavaScript files do not specify exact versions for these dependencies. This lack of pinning can lead to: 1. **Vulnerability Introduction**: A new version of a dependency might introduce a security vulnerability. 2. **Build Instability**: Future installations might pull incompatible or broken versions. 3. **Typosquatting**: While not directly visible, unpinned dependencies increase the risk if a malicious package with a similar name is published. For Python dependencies, create a `requirements.txt` file with pinned versions (e.g., `package==1.2.3`). For JavaScript dependencies, use `package.json` with exact versions or lock files (`package-lock.json`, `yarn.lock`). For system commands (`soffice`, `convert`), document required versions and ensure they are installed from trusted sources. | LLM | SKILL.md:1 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/3ad0db1858e8afe4)
Powered by SkillShield