Security Audit

pptx

github.com/guanyang/antigravity-skills

AI SkillCommit 3e75fabdb24c

CRITICAL

Scanned 6 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 31 findings: 12 critical, 18 high, 1 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

7 findings

Shell Execution

20 findings

Dynamic Code

2 findings

Excessive Permissions

2 findings

Security Findings31

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/ooxml/scripts/pack.py:103
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/ooxml/scripts/validation/redlining.py:153
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/ooxml/scripts/validation/redlining.py:185
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:14
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:37
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:59
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/validators/redlining.py:138
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/validators/redlining.py:167
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/thumbnail.py:161
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/thumbnail.py:178
CRITICAL	Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:25
CRITICAL	Sandbox Bypass Attempt via LD_PRELOAD Shim The `soffice.py` script dynamically compiles and uses a C shim (`lo_socket_shim.so`) via `LD_PRELOAD` to modify the behavior of `socket`, `listen`, `accept`, and `close` system calls. This is an explicit attempt to circumvent sandboxing restrictions, specifically those blocking `AF_UNIX` sockets, which is a significant security concern as it bypasses intended isolation mechanisms. While the stated purpose is to enable LibreOffice functionality, it introduces a powerful vector for privilege escalation or sandbox escape if the shim itself or its interaction with `soffice` can be exploited. Re-evaluate the necessity of this sandbox bypass. If LibreOffice functionality is critical, explore alternative methods that do not require `LD_PRELOAD` or system call interception. If unavoidable, ensure the C shim code is rigorously audited for vulnerabilities and that the environment where it runs is extremely restricted and monitored. Document the security implications clearly.	Unknown	scripts/office/soffice.py:30
HIGH	Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:25
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/ooxml/scripts/pack.py:103
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/ooxml/scripts/validation/redlining.py:153
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/ooxml/scripts/validation/redlining.py:185
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:37
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:59
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/validators/redlining.py:138
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/validators/redlining.py:167
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/thumbnail.py:161
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/thumbnail.py:178
HIGH	Path Traversal Vulnerability in File Operations Multiple scripts use user-controlled arguments directly as file paths or components of file paths without sufficient sanitization, leading to potential path traversal vulnerabilities. An attacker could craft input containing '..' or absolute paths to read, write, or overwrite arbitrary files outside the intended working directory. Sanitize all user-provided file paths. For `zipfile.extractall`, iterate through `zf.namelist()` and validate each member's name (e.g., check for '..' or absolute paths) before extracting. Ensure `output_directory` is strictly controlled and ideally within a temporary, isolated sandbox. For other file operations, use `Path.resolve()` and `Path.is_relative_to()` to ensure paths remain within an allowed base directory.	Unknown	scripts/office/unpack.py:40
HIGH	Path Traversal Vulnerability in File Operations The `output_prefix` argument, which can be user-controlled via `sys.argv`, is directly used to construct an output file path. An attacker could provide a path like `../../sensitive_file` to write the generated thumbnail image to an arbitrary location on the filesystem. Sanitize `args.output_prefix` to prevent path traversal. Ensure it only contains valid filename characters and does not include path separators or '..'. Alternatively, use `Path.resolve()` and verify the resulting path is within an allowed output directory.	Unknown	scripts/thumbnail.py:46
HIGH	Path Traversal Vulnerability in File Operations The `source` argument, which can be user-controlled via `sys.argv`, is directly appended to `slides_dir` to form `source_slide`. If `source` contains path traversal sequences (e.g., `../../`), an attacker could read or copy arbitrary files from the filesystem. Sanitize `source` to prevent path traversal. Ensure it only contains valid filename characters and does not include path separators or '..'. Alternatively, use `Path.resolve()` and verify the resulting path is within the `unpacked_dir`.	Unknown	scripts/add_slide.py:85
HIGH	Path Traversal Vulnerability in File Operations The `output` argument, which can be user-controlled via `sys.argv`, is directly used to construct an output file path. An attacker could provide a path like `../../sensitive_data.json` to write the extracted inventory to an arbitrary location on the filesystem. Sanitize `args.output` to prevent path traversal. Ensure it only contains valid filename characters and does not include path separators or '..'. Alternatively, use `Path.resolve()` and verify the resulting path is within an allowed output directory.	Unknown	scripts/inventory.py:70
HIGH	Path Traversal Vulnerability in File Operations The `output_file` argument, which can be user-controlled via `sys.argv`, is directly used to construct an output file path. An attacker could provide a path like `../../malicious.pptx` to write the packed Office file to an arbitrary location on the filesystem. Sanitize `output_file` to prevent path traversal. Ensure it only contains valid filename characters and does not include path separators or '..'. Alternatively, use `Path.resolve()` and verify the resulting path is within an allowed output directory.	Unknown	scripts/office/pack.py:20
HIGH	XML External Entity (XXE) / XML Bomb Vulnerability The `_get_authors_from_docx` function uses `xml.etree.ElementTree.parse` to parse XML content from `word/document.xml` within an `original_docx` file. If `original_docx` is untrusted, this can lead to XML External Entity (XXE) attacks (e.g., local file disclosure, SSRF) or XML bomb attacks (Denial of Service) because `ElementTree` does not disable external entity processing by default. While `defusedxml` is used elsewhere, it is not used here. Replace `xml.etree.ElementTree` with `defusedxml.ElementTree` for parsing XML from untrusted sources, or explicitly disable DTD and external entity processing if using `xml.etree.ElementTree`.	Unknown	scripts/office/helpers/simplify_redlines.py:201
HIGH	Local File Disclosure / SSRF via Playwright `page.goto()` The `html2pptx.js` script uses `playwright` to navigate to a URL specified by `htmlFilePath`. If `htmlFilePath` is user-controlled and `playwright` is configured to allow `file://` URLs, an attacker could specify a local file path (e.g., `file:///etc/passwd`) to disclose sensitive information. Additionally, if `playwright` allows arbitrary external URLs, this could lead to Server-Side Request Forgery (SSRF), allowing an attacker to make requests to internal network resources. Strictly validate `htmlFilePath` to ensure it only points to trusted, allowed resources. If local files are intended, restrict access to a specific, isolated directory and sanitize the path. If external URLs are allowed, implement a robust allowlist for domains and protocols. Ensure the `playwright` browser instance runs in a highly sandboxed and isolated environment to mitigate potential XSS or further exploitation.	Unknown	scripts/html2pptx.js:108
HIGH	LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 12 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion.	Unknown	(sanity check)
MEDIUM	Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Unknown	/tmp/skillscan-clone-zsu6aqzx/repo/skills/pptx/scripts/office/soffice.py:18

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3b9d50c6ac769e47.svg)](https://skillshield.io/report/3b9d50c6ac769e47)