Trust Assessment
pptx-construction received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary file read via image path in PPTX generation, Arbitrary file write to user-controlled output_path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file read via image path in PPTX generation The `add_photos_slide` function, called by `create_progress_presentation`, uses `slide.shapes.add_picture(photo['path'], ...)` where `photo['path']` is derived directly from user-provided `project_data`. This allows an attacker to specify arbitrary file paths on the system. The `python-pptx` library will attempt to read the content of these files to embed them as images. This can lead to reading sensitive system files or other data that the skill should not have access to. If the generated PPTX is subsequently returned to the user, this constitutes data exfiltration. Implement strict input validation for `photo['path']` to ensure it refers to allowed image files within a controlled, sandboxed directory. Alternatively, modify the skill to accept image data directly (e.g., base64 encoded) or fetch images from a trusted, external source with proper authentication and authorization. Ensure the skill runs in an environment with restricted file system access. | LLM | SKILL.md:100 | |
| HIGH | Arbitrary file write to user-controlled output_path All presentation creation functions (`create_progress_presentation`, `create_bid_presentation`, `create_safety_presentation`, `create_lookahead_presentation`) accept an `output_path` parameter directly from user input. This allows an attacker to specify an arbitrary file path on the system where the generated `.pptx` file will be saved. This could lead to overwriting critical system files, filling up disk space (Denial of Service), or placing malicious files in specific locations if the skill's execution environment has sufficient write permissions. Implement strict input validation for `output_path` to ensure it is within a designated, secure, and temporary output directory. The skill should not be allowed to write to arbitrary file system locations. Consider returning the generated PPTX as a byte stream instead of saving it to a file, or saving it to a temporary, isolated location and then providing a mechanism to retrieve it. Ensure the skill runs in an environment with restricted file system write access. | LLM | SKILL.md:20 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/datadrivenconstruction/pptx-construction/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/e6e0704a172bbfc3)
Powered by SkillShield