Trust Assessment
pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 7 critical, 12 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-official/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-official/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-official/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-official/scripts/thumbnail.py:219 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/pptx-official/scripts/thumbnail.py:237 | |
| CRITICAL | Explicit instruction to ignore range limits for file reading The skill explicitly instructs the LLM with phrases like 'MANDATORY - READ ENTIRE FILE: Read [file] completely from start to finish. NEVER set any range limits when reading this file.' for multiple files (`html2pptx.md`, `ooxml.md`, `template-content.md`, `text-inventory.json`). These instructions are located within the untrusted input delimiters, making them a direct attempt to manipulate the LLM's behavior and override its safety mechanisms regarding file content truncation. This could force the LLM to consume potentially large or sensitive files entirely, leading to resource exhaustion or unintended exposure of sensitive data. Remove instructions that attempt to override the LLM's default behavior or safety mechanisms, especially regarding file content truncation. Rely on the LLM's inherent ability to determine relevant content and manage file reading limits. | LLM | SKILL.md:147 | |
| CRITICAL | Zip Slip vulnerability in `ooxml/scripts/unpack.py` The `ooxml/scripts/unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)`. This function is vulnerable to a 'Zip Slip' attack. A malicious `input_file` (a crafted zip archive) can contain entries with path traversal sequences (e.g., `../../../../etc/passwd`), causing files to be extracted outside the intended `output_path` directory. This could lead to arbitrary file overwrite, creation of malicious files in sensitive system locations, or data exfiltration. The script takes `input_file` directly from `sys.argv`, making it directly controllable by untrusted input. Implement secure extraction by validating each file path within the zip archive before extraction. Ensure that extracted file paths do not escape the designated `output_path`. A common approach is to resolve the target path for each file and check if it starts with the `output_path`. | LLM | ooxml/scripts/unpack.py:15 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-official/ooxml/scripts/pack.py:144 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-official/scripts/html2pptx.js:884 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-official/scripts/inventory.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-official/scripts/inventory.py:117 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/pptx-official/scripts/rearrange.py:8 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-official/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-official/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-official/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-official/scripts/thumbnail.py:219 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/pptx-official/scripts/thumbnail.py:237 | |
| HIGH | Potential command injection via `subprocess.run` with `soffice` The scripts `ooxml/scripts/pack.py` and `scripts/thumbnail.py` use `subprocess.run` to execute `soffice` (LibreOffice/OpenOffice) for document validation and image conversion, respectively. The `doc_path` (or `input_path`) argument to `soffice` is derived from user-provided file paths. While `soffice` itself is a legitimate application, if a malicious user can craft a file path that includes shell metacharacters or commands, it could lead to arbitrary command execution. Although `soffice` typically expects file paths, the risk exists if the underlying shell or `soffice` itself has vulnerabilities in handling malformed paths. Ensure all arguments passed to `subprocess.run` are properly sanitized and quoted to prevent shell injection. Using `shlex.quote()` for each argument is recommended if `shell=True` is used (though `shell=False` is generally safer and preferred). Consider using a dedicated library for document conversion that doesn't rely on external shell commands if possible. | LLM | ooxml/scripts/pack.py:89 | |
| HIGH | `html2pptx.js` processes untrusted HTML/image paths with `playwright` and `sharp` The `scripts/html2pptx.js` script uses `playwright` to render HTML and `sharp` for image processing. If the HTML content or image paths (`el.src`, `slideData.background.path`) are derived from untrusted user input, a malicious user could:
- **Data Exfiltration**: Craft HTML to make network requests (e.g., via `<img>` tags, `<link>` tags, or JavaScript if enabled) to exfiltrate local file content or other sensitive data accessible to the `playwright` browser context.
- **Arbitrary File Access**: Use `sharp` to process malicious image files (e.g., image bombs for resource exhaustion) or attempt to read/write arbitrary files if `imagePath` can be manipulated to point to sensitive locations. The script explicitly mentions 'Rasterize gradients and icons as PNG images FIRST using Sharp, then reference in HTML', implying `sharp` is used for creation, but the subsequent referencing of `imagePath` from `el.src` or `slideData.background.path` could still be exploited if the HTML is untrusted. Strictly sanitize or validate all HTML content and file paths before passing them to `playwright` or `sharp`. If user-provided HTML is processed, ensure it's rendered in a highly sandboxed environment with network access disabled and local file access restricted. For image paths, ensure they are strictly confined to an allowed directory and do not contain path traversal sequences. | LLM | scripts/html2pptx.js:169 | |
| MEDIUM | Unpinned external dependencies (`markitdown`, `playwright`, `sharp`) The skill mentions using `markitdown` (in `SKILL.md`) and `playwright`, `sharp` (in `scripts/html2pptx.js`). The provided context does not include `package.json` or `requirements.txt` files. Without pinned versions for these external dependencies, there's a risk of:
- **Vulnerability Introduction**: A new version of a dependency might introduce a security vulnerability.
- **Breaking Changes**: Updates could break functionality.
- **Typosquatting/Malicious Packages**: If the skill is installed in an environment without strict dependency management, there's a risk of installing a malicious package with a similar name. Provide a `requirements.txt` (for Python) and `package.json` (for Node.js) with all external dependencies explicitly listed and pinned to specific versions (e.g., `playwright@1.30.0`, `sharp@0.31.0`). Regularly audit and update these dependencies. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/4d20c31904d84ffd)
Powered by SkillShield