Trust Assessment
tmustier/clean-slides:root received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 38 findings: 3 critical, 34 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 2, 2026 (commit eea068ff). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings38
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | clean_slides/screenshot.py:209 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | clean_slides/screenshot.py:256 | |
| CRITICAL | Unsafe YAML deserialization The `pptx generate` command processes user-provided YAML files. The `load_yaml` function, imported from `clean_slides.spec_pipeline`, is used to parse these files. The implementation of `load_yaml` is not provided in the context. If `yaml.load()` is used without explicitly specifying `Loader=yaml.SafeLoader`, it can lead to arbitrary code execution by deserializing malicious Python objects embedded in the YAML input. This is a well-known vulnerability in the PyYAML library when handling untrusted input. Ensure `clean_slides/spec_pipeline.py` uses `yaml.safe_load()` or `yaml.load(..., Loader=yaml.SafeLoader)` when parsing YAML files from untrusted sources. This prevents the deserialization of arbitrary Python objects. | LLM | clean_slides/cli_generate.py:30 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/chart_generator.py:20 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/chart_generator.py:23 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/chart_generator.py:26 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/charts.py:3 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/cli_inspect.py:194 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/icons.py:4 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/inspect_pptx.py:2 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/template_config.py:287 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_canary_decks.py:12 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_chart_cells.py:13 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_chart_cells.py:24 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_chart_cells_golden.py:12 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_chart_engine_smoke.py:10 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_chart_generator.py:7 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_charts_cli.py:13 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_column_widths.py:3 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_content.py:3 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_hyperlinks.py:13 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_insert.py:9 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_placeholder.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_placement.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_pptx_access.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_schema_dims.py:3 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_sizing.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_sizing.py:9 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_smoke.py:8 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | tests/test_template_config.py:8 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/constants.py:239 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/constants.py:243 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/constants.py:302 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | clean_slides/template_config.py:295 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_render_via_powerpoint'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | clean_slides/screenshot.py:209 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_render_via_libreoffice'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | clean_slides/screenshot.py:256 | |
| HIGH | Arbitrary file reading via user-controlled paths Several CLI commands (`pptx generate`, `pptx charts`, `pptx batch`) accept file paths as arguments (e.g., `input`, `edits`, `template`). The `resolve_path` function in `clean_slides/chart_engine/units.py` explicitly allows absolute paths (`if path.is_absolute(): return path`). This means a malicious user could provide paths to sensitive system files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, `/proc/self/environ`) which the skill would then read and process. While the immediate processing might not directly exfiltrate the data, the ability to read arbitrary files constitutes excessive permission and could be a precursor to data exfiltration or information gathering for further attacks. Implement strict path validation and sandboxing. Restrict file operations to a designated, non-sensitive working directory. Disallow absolute paths or paths that traverse outside a defined project root (e.g., using `pathlib.Path.is_relative_to()` or checking for `..`). For commands like `pptx batch` and `pptx generate`, consider if reading from `sys.stdin` is sufficient for untrusted inputs, or if file access needs to be more tightly controlled. | LLM | clean_slides/chart_engine/units.py:100 | |
| MEDIUM | Unpinned Python dependency version Dependency 'python-pptx>=0.6.21' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | pyproject.toml |
Scan History
Embed Code
[](https://skillshield.io/report/a74ae53adbb6796f)
Powered by SkillShield