Back to skill

Security audit

officecli-morph-ppt

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for building animated PowerPoint decks, but its setup and cleanup guidance include high-impact actions users should review before installing.

Install only if you trust the officecli installer source. Prefer downloading a versioned release and verifying provenance instead of piping a remote script into a shell. Use the helper cleanup command only on a backup copy of a deck, and expect the skill to run local officecli commands that create, overwrite, and mutate .pptx files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill clearly instructs shell execution and external CLI use, yet no declared permissions are present. That creates a trust gap where an agent may execute shell-capable behavior without explicit permission scoping or user-visible consent boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as a narrow scene-layer for generating a single morph .pptx, but it also documents deck-wide mutation, validation, cleanup, cloning, ghost-shape management, and raw editing workflows. This broader behavior increases the attack surface and may mislead operators into granting trust appropriate for a simple generation skill while it can modify or remove existing content.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup section instructs users to run remote installer scripts directly from the network into a shell or PowerShell interpreter. This is dangerous because any compromise of the hosting domain, transport path, or script publisher can immediately lead to arbitrary code execution on the user's machine.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The skill authorizes raw XML mutation via raw-set, which bypasses higher-level safety rails and schema constraints of the presentation tool. In an agent context, exposing low-level arbitrary mutation makes it easier to introduce malformed files, hidden content changes, or unexpected document behaviors beyond the stated morph-scene purpose.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file adds a destructive cleanup command (`clean-accumulation`) that removes shapes from the deck, which goes beyond a narrowly-scoped morph-helper role and changes document contents irreversibly. In an agent/skill setting, hidden or weakly-scoped destructive capabilities increase the chance of unintended data loss, especially if the helper is called automatically as part of workflow enforcement rather than via an explicit user request.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code exposes bulk deletion of shapes matching `x>=34cm`, which is only heuristically associated with 'ghost' shapes. Because that query is broad and the function iterates through all matching results past a threshold, legitimate off-canvas or intentionally staged objects could be deleted, causing silent corruption of presentation content.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Piping curl/irm output directly into bash/iex executes unreviewed remote code immediately. This eliminates inspection and integrity verification, so a malicious or tampered script would execute with the user's privileges at installation time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The destructive remove operation executes without any explicit warning, confirmation, or interactive safeguard at the point of deletion. In an automated skill context, this makes accidental data loss more likely because a user may not realize that invoking cleanup can permanently remove shapes from the presentation.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script unconditionally runs `rm -f "$DECK"`, which will delete any existing file at that path without warning or confirmation. In this skill, the path is derived from the script directory and a fixed filename, so the scope is limited, but it can still cause unintended data loss if a user has an existing deck with that name.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The script unconditionally runs `rm -f "$OUTPUT"` before rebuilding the presentation, which will silently delete any existing file at that path. In this specific skill, the path is derived from the script directory and a fixed filename, so the risk is limited to accidental data loss rather than arbitrary file deletion, but it is still a real safety issue.

External Script Fetching

High
Category
Supply Chain
Content
If `officecli` is missing:

- **macOS / Linux**: `curl -fsSL https://d.officecli.ai/install.sh | bash`
- **Windows (PowerShell)**: `irm https://d.officecli.ai/install.ps1 | iex`

Verify with `officecli --version` (open a new terminal if PATH hasn't picked up). If install fails, download a binary from https://github.com/iOfficeAI/OfficeCLI/releases.
Confidence
99% confidence
Finding
curl -fsSL https://d.officecli.ai/install.sh | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.