Security audit

Google Slides

Security checks across malware telemetry and agentic risk

Overview

This Google Slides skill appears useful and not malicious, but it exposes broad write and delete capabilities without clear guardrails.

Install only if you are comfortable granting this skill write-capable access to Google Slides. Prefer high-level edit actions, review target presentation IDs carefully, and avoid raw batch_update or delete_object unless you explicitly intend to make broad or destructive changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The schema exposes a raw `batch_update` action that accepts arbitrary Google Slides API request objects, which is materially broader than the surrounding high-level slide-editing primitives. This creates an unexpected capability expansion: an agent or prompt-injected workflow could perform destructive or unreviewed operations beyond the manifest’s apparent scope, including bulk edits and structural changes across a presentation.

Description-Behavior Mismatch

Low

Confidence: 81% confidence
Finding: The skill metadata emphasizes creating and editing presentations, but the schema also includes `search_presentations`, which enables enumeration of the user's broader Slides corpus. That mismatch can cause overbroad data access, especially if an agent is granted the skill for document creation but can also discover unrelated presentation names and metadata.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill exposes a destructive `delete_object` action for deleting slides or elements without any embedded warning, confirmation guidance, or safety guardrails. In an autonomous-agent context, this increases the risk of accidental destructive operations against user presentations, especially because object IDs can refer to entire slides as well as individual elements.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documented `delete_object` capability can remove slides or elements, yet the schema provides no warning, confirmation requirement, or indication of irreversibility. In an agent setting, this increases the risk of accidental or prompt-induced destructive changes to user presentations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The raw `batch_update` endpoint permits broad write access through arbitrary request objects, but the schema does not warn that it may perform destructive, bulk, or hard-to-review modifications atomically. This is dangerous because a single tool call can rewrite or remove significant presentation content with little transparency or opportunity for user review.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.