Security Audit
snyk/agent-scan:tests/skills/pptx
github.com/snyk/agent-scanTrust Assessment
snyk/agent-scan:tests/skills/pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 6 critical, 12 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 1, 2026 (commit 30a672c5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/pptx/ooxml/scripts/pack.py:102 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/pptx/ooxml/scripts/validation/redlining.py:143 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/pptx/ooxml/scripts/validation/redlining.py:175 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/pptx/scripts/thumbnail.py:211 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/pptx/scripts/thumbnail.py:229 | |
| CRITICAL | Zip Slip Vulnerability in unpack.py The `ooxml/scripts/unpack.py` script uses `zipfile.ZipFile(input_file).extractall(output_path)` without validating the paths within the archive. If `input_file` is a malicious zip archive crafted by an attacker (e.g., containing paths like `../../../../etc/passwd`), it can write files to arbitrary locations on the filesystem. This allows for data corruption, privilege escalation, or other severe system compromise. The `input_file` argument is derived from user input, making this a direct exploit path. Implement a secure extraction mechanism that validates file paths within the archive to prevent directory traversal. Ensure that each extracted file's path resolves strictly within the intended `output_path`. | Static | ooxml/scripts/unpack.py:20 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/pptx/ooxml/scripts/pack.py:143 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/pptx/scripts/html2pptx.js:884 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/pptx/scripts/inventory.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/pptx/scripts/inventory.py:108 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/skills/pptx/scripts/rearrange.py:8 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/pptx/ooxml/scripts/pack.py:102 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/pptx/ooxml/scripts/validation/redlining.py:143 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/pptx/ooxml/scripts/validation/redlining.py:175 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/pptx/scripts/thumbnail.py:211 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/pptx/scripts/thumbnail.py:229 | |
| HIGH | SSRF/LFI via Playwright in html2pptx.js The `scripts/html2pptx.js` script uses Playwright to render HTML files. The `page.goto(htmlFilePath)` call and the handling of image `src` attributes (`el.src`) in `addElements` are vulnerable if `htmlFilePath` or the content of the HTML (including image `src`s) can be influenced by untrusted user input. An attacker could craft an HTML file or provide a URL that points to sensitive local files (e.g., `file:///etc/passwd`) or internal network services, leading to Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI). The skill documentation indicates that HTML content is created based on user input. 1. Sanitize or strictly validate all URLs and file paths derived from user input before passing them to `page.goto()` or using them as image sources. 2. Consider running Playwright in a sandboxed environment with strict network and file system access policies. 3. For image sources, only allow specific protocols (e.g., `data:` URLs or URLs from an allow-list of trusted domains) and validate file paths to ensure they are within an expected, isolated directory. | Static | scripts/html2pptx.js:100 | |
| HIGH | Prompt Injection via replacement-text.json The `replacement-text.json` file is generated based on user input and subsequently processed by the agent via `scripts/replace.py`. If the user can craft input that, when incorporated into this JSON, contains instructions or data that can manipulate the agent's subsequent behavior (e.g., by embedding commands in text fields that the agent later interprets as new instructions), it constitutes a prompt injection. While `replace.py` itself performs text replacement, the overall agent workflow is susceptible to manipulation if user-influenced data can alter its control flow. 1. Implement strict input validation and sanitization for all user-provided text that will be incorporated into `replacement-text.json`. 2. Ensure that the agent's interpretation of data from `replacement-text.json` is strictly limited to its intended purpose (e.g., text replacement) and does not allow for re-interpretation as new instructions or commands. 3. Consider using a separate, isolated context for processing user-generated content to prevent it from influencing the main agent's control flow. | LLM | SKILL.md:204 | |
| MEDIUM | Command Execution via markitdown The skill documentation instructs the agent to execute `python -m markitdown path-to-file.pptx`. While `subprocess.run` with a list of arguments is generally safer against direct shell injection, the execution of an external Python module (`markitdown`) with a user-influenced `path-to-file.pptx` argument introduces a risk. If `markitdown` itself has vulnerabilities that can be triggered by a specially crafted `.pptx` file or by a malicious file path (e.g., if it internally uses `os.system` or similar with unsanitized input), it could lead to arbitrary code execution. 1. Thoroughly audit the `markitdown` library for vulnerabilities, especially regarding file parsing and path handling. 2. Ensure that `path-to-file.pptx` is strictly validated and sanitized to prevent any form of path traversal or injection. 3. Consider running such external tools in a highly restricted, sandboxed environment. | Static | SKILL.md:18 | |
| MEDIUM | Command Execution via soffice in pack.py The `ooxml/scripts/pack.py` script uses `subprocess.run` to execute `soffice` (LibreOffice/OpenOffice) for document validation. Although arguments are passed as a list, reducing direct shell injection risk, the execution of an external, complex binary like `soffice` with a potentially untrusted input file (`doc_path`, which is derived from user input) introduces a risk. If `soffice` has vulnerabilities that can be triggered by a specially crafted `.pptx` file during conversion, it could lead to arbitrary code execution or denial of service. 1. Ensure `soffice` is kept up-to-date with the latest security patches. 2. Run `soffice` in a highly restricted, isolated sandbox environment (e.g., a container with minimal privileges and network access) to mitigate the impact of potential vulnerabilities. 3. Strictly validate the `output_file` path to prevent any path traversal attempts. | Static | ooxml/scripts/pack.py:85 |
Scan History
Embed Code
[](https://skillshield.io/report/15b3d5daea1ebc47)
Powered by SkillShield