Back to skill

Security audit

课件帮 Aippt

Security checks across malware telemetry and agentic risk

Overview

This PPT-generation skill appears purpose-aligned, but it handles user authentication tokens in unsafe ways that deserve review before installation.

Install only after reviewing or fixing the credential flow. Use a dedicated, revocable Kejian365 token, avoid pasting secrets into chat, remove token persistence from state files, and confirm that any PPT content you provide may be sent to the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs the agent to read an environment secret, write files, execute local scripts, and make network-backed requests, yet no explicit permissions are declared. This creates a governance gap: the runtime may grant powerful capabilities without clear review boundaries, increasing the chance of unintended secret exposure, file misuse, or external data transfer.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script saves the authentication token into task_state.json, causing long-lived credential material to be written to disk in the working directory. If that directory is readable by other local users, collected by logs/backups, or exposed through agent tooling, the token can be reused to access the user's Kejian365 account and related PPT data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly tells users to send their auth token in chat, which exposes a secret to the conversational channel, model context, logs, transcripts, and potentially other connected components. This creates a real credential-handling vulnerability because secrets entered into chat are harder to scope, redact, rotate, and protect than secrets supplied through dedicated secure configuration paths.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad phrases like 'make me a PPT' or 'create slides,' which can cause the skill to activate in many contexts where the user did not specifically intend to use this external service. That can lead to accidental transmission of user content to the Kejian365 platform or unexpected use of credentials and external actions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The usage instruction says users can simply ask for a PPT to start the workflow, which is overly vague for a skill that writes files, invokes scripts, and sends content to a third-party platform. This weak consent boundary increases the risk of unintended activation and external processing of sensitive prompts or materials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting the token to disk without notice or necessity creates silent credential exposure. In an agent skill context, workspace files may be inspected, archived, or shared between components, making this more dangerous than a typical local script because the user may not realize their bearer token is being retained.

Ssd 3

Medium
Confidence
99% confidence
Finding
Telling users to paste a secret token into chat and stating that the AI will remember it for the session encourages unsafe secret exposure and persistence in model context. In the context of a skill that calls an external PPT-generation platform, compromise of this token could allow unauthorized API use, billing abuse, access to generated content, or further account-level actions depending on token scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.