Trust Assessment
pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 23 findings: 9 critical, 9 high, 5 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings23
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/pptx/scripts/office/soffice.py:14 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/pptx/scripts/office/soffice.py:37 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/pptx/scripts/office/soffice.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/pptx/scripts/office/validators/redlining.py:138 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/pptx/scripts/office/validators/redlining.py:167 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/pptx/scripts/thumbnail.py:161 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ttboy/pptx/scripts/thumbnail.py:178 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/ttboy/pptx/scripts/office/soffice.py:25 | |
| CRITICAL | LD_PRELOAD used to bypass sandbox restrictions The `scripts/office/soffice.py` script dynamically compiles and uses an `LD_PRELOAD` shim (`lo_socket_shim.so`) to intercept system calls (`socket`, `listen`, `accept`, `close`, `read`) for `AF_UNIX` sockets. This is explicitly stated as a method to run LibreOffice in environments where `AF_UNIX` sockets may be blocked (e.g., sandboxed VMs). This technique is a known method for bypassing sandbox restrictions and can lead to privilege escalation or escape from a confined execution environment. Avoid using `LD_PRELOAD` to bypass sandbox restrictions. If `AF_UNIX` sockets are blocked, consider alternative methods for inter-process communication that are compatible with the sandboxed environment, or ensure the sandbox explicitly allows this behavior and its implications are understood. | LLM | scripts/office/soffice.py:21 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/ttboy/pptx/scripts/office/soffice.py:25 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ttboy/pptx/scripts/office/pack.py:117 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_soffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ttboy/pptx/scripts/office/soffice.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_ensure_shim'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ttboy/pptx/scripts/office/soffice.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ttboy/pptx/scripts/office/validators/redlining.py:138 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ttboy/pptx/scripts/office/validators/redlining.py:167 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ttboy/pptx/scripts/thumbnail.py:161 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ttboy/pptx/scripts/thumbnail.py:178 | |
| HIGH | Dynamic C code compilation via `gcc` The `scripts/office/soffice.py` script compiles C source code (`_SHIM_SOURCE`) into a shared library (`.so`) using `subprocess.run(['gcc', ...])`. While the C source is hardcoded within the script, the dynamic compilation and loading of native code at runtime introduces a significant attack surface. A compromised `gcc` binary or an environment where the `_SHIM_SOURCE` could be altered (e.g., via supply chain attack) could lead to arbitrary code execution. Avoid dynamic compilation of native code within an AI agent skill. If native code is required, it should be pre-compiled and included as a binary, with strict integrity checks. Ensure the execution environment has a trusted `gcc` binary and that the skill's source code is protected from tampering. | LLM | scripts/office/soffice.py:57 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ttboy/pptx/scripts/clean.py:14 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ttboy/pptx/scripts/office/validators/pptx.py:207 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ttboy/pptx/scripts/office/soffice.py:18 | |
| MEDIUM | External command execution for image conversion The `scripts/thumbnail.py` script uses `subprocess.run` to execute external commands `soffice` (LibreOffice) and `pdftoppm` (Poppler utility) for converting PowerPoint files to images. While arguments are constructed programmatically, the reliance on external binaries introduces a dependency risk. A malicious `soffice` or `pdftoppm` binary in the execution environment could lead to arbitrary code execution. This also implicitly inherits the `LD_PRELOAD` sandbox bypass mechanism from `scripts/office/soffice.py` when calling `soffice`. Minimize reliance on external binaries. If necessary, ensure strict validation of binary paths and integrity checks. Consider using containerized environments where the `soffice` and `pdftoppm` binaries are known and trusted. Explicitly document the external dependencies and their versions. | LLM | scripts/thumbnail.py:160 | |
| MEDIUM | External command execution for text diffing The `scripts/office/validators/redlining.py` script uses `subprocess.run` to execute the `git diff` command for comparing text content. This introduces a dependency on the `git` binary being present and uncompromised in the execution environment. A malicious `git` binary could lead to arbitrary code execution. Minimize reliance on external binaries. If necessary, ensure strict validation of binary paths and integrity checks. Consider using a pure Python diffing library instead of an external `git` command, or ensure the execution environment has a trusted `git` binary. | LLM | scripts/office/validators/redlining.py:147 |
Scan History
Embed Code
[](https://skillshield.io/report/4ed6d59194bfbd8d)
Powered by SkillShield