Security Audit
lawvable/awesome-legal-skills:skills/pptx-processing-anthropic
github.com/lawvable/awesome-legal-skillsTrust Assessment
lawvable/awesome-legal-skills:skills/pptx-processing-anthropic received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 6 critical, 12 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 26, 2026 (commit 4d82d4cf). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-processing-anthropic/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-processing-anthropic/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-processing-anthropic/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-processing-anthropic/scripts/thumbnail.py:219 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-processing-anthropic/scripts/thumbnail.py:237 | |
| CRITICAL | Command Injection via User-Controlled File Paths in Skill Instructions The `SKILL.md` instructs the agent to execute various Python scripts and shell commands (`python`, `find`) using file paths and arguments that are directly derived from user input (e.g., `<office_file>`, `<output_dir>`, `path-to-file.pptx`, `template.pptx`, `replacements.json`, `sequence`). If the agent does not properly sanitize or quote these user-controlled inputs before passing them to the shell, a malicious user could inject arbitrary shell commands, leading to remote code execution on the host system. The agent must rigorously sanitize and properly quote all user-controlled file paths and arguments before executing any shell commands. Consider using `shlex.quote()` in Python or similar mechanisms in other languages. Ideally, avoid direct shell execution with user input where possible, or use APIs that handle arguments as a list rather than a single string. | LLM | SKILL.md:30 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-processing-anthropic/ooxml/scripts/pack.py:144 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-processing-anthropic/scripts/html2pptx.js:884 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-processing-anthropic/scripts/inventory.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-processing-anthropic/scripts/inventory.py:117 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-processing-anthropic/scripts/rearrange.py:8 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-processing-anthropic/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-processing-anthropic/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-processing-anthropic/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-processing-anthropic/scripts/thumbnail.py:219 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-processing-anthropic/scripts/thumbnail.py:237 | |
| HIGH | Command Injection via ImageMagick (convert) in Thumbnail Generation The `scripts/thumbnail.py` script uses `subprocess.run` to invoke ImageMagick's `convert` command with a PDF file derived from user-provided `.pptx` input. ImageMagick has a history of vulnerabilities (e.g., ImageTragick) where specially crafted image or document files can lead to arbitrary code execution. A malicious `.pptx` file could be designed to exploit ImageMagick during the thumbnail generation process, potentially allowing an attacker to execute arbitrary commands on the host system. Mitigate ImageMagick vulnerabilities by: 1) Ensuring ImageMagick is sandboxed (e.g., using AppArmor, SELinux, or Docker containers) with minimal permissions. 2) Disabling dangerous delegates in ImageMagick's policy.xml. 3) Keeping ImageMagick updated to the latest secure version. 4) Consider alternative, safer image processing libraries if possible. | LLM | scripts/thumbnail.py:204 | |
| HIGH | Arbitrary Local File Read via Playwright and Sharp in html2pptx.js The `scripts/html2pptx.js` script uses `playwright` to load HTML files (`page.goto(fileUrl)`) and `sharp` to process images (`sharp(imagePath)`). Both `htmlFilePath` and `imagePath` are derived from user-controlled input, and the script explicitly handles `file://` URLs. This allows a malicious user to craft an HTML file or image path that points to arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) on the agent's system. While the script does not explicitly exfiltrate this data, the ability to read sensitive local files is a significant data exfiltration vulnerability. Restrict `playwright` and `sharp` to only access files within a designated, isolated working directory. Implement strict validation and sanitization of all file paths to prevent access to arbitrary locations on the filesystem. Avoid using `file://` URLs with user-controlled paths if possible, or ensure they are heavily sandboxed. | LLM | scripts/html2pptx.js:105 | |
| MEDIUM | Path Traversal Vulnerability in Zip Extraction The `ooxml/scripts/unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)` where `input_file` is user-controlled. The `extractall` method in Python's `zipfile` module is known to be vulnerable to path traversal attacks. A malicious `.pptx` file (which is a zip archive) could contain entries with paths like `../../../../etc/passwd`, allowing an attacker to write or overwrite files outside the intended `output_path` directory. Before extracting, inspect each member's name in the zip archive to ensure it does not contain path traversal sequences (e.g., `..`). Only extract files whose resolved paths are strictly within the designated `output_path`. | LLM | ooxml/scripts/unpack.py:16 | |
| MEDIUM | Unpinned Dependencies Across Python and JavaScript Scripts The Python scripts (`pack.py`, `unpack.py`, `validate.py`, `inventory.py`, `rearrange.py`, `replace.py`, `thumbnail.py`) and the JavaScript script (`html2pptx.js`) do not specify exact versions for their external dependencies (e.g., `pptx`, `PIL`, `defusedxml`, `lxml`, `playwright`, `sharp`). This lack of dependency pinning introduces supply chain risks, as future updates to these libraries could introduce breaking changes, new vulnerabilities, or even malicious code (dependency confusion attacks) if not carefully managed. The skill's functionality and security could be compromised by unverified dependency updates. Implement a `requirements.txt` for Python dependencies and a `package.json` with pinned versions for JavaScript dependencies. Regularly audit and update these dependencies, verifying their integrity and security before deployment. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/ccdb3f5529da4de2)
Powered by SkillShield