Html2pptx Shape

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real HTML-to-PPTX converter, but it automatically fetches image URLs from input HTML without clear network limits or opt-in controls.

Install only if you are comfortable reviewing HTML inputs before conversion. Avoid using it on untrusted HTML unless remote image fetching is disabled or run in a network-restricted environment, and prefer pinning dependencies before production use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation describes capabilities that imply file read, file write, and network access, but no corresponding permissions are declared. This creates a transparency and governance gap: users or orchestrators may execute a skill with broader effective access than expected, increasing the risk of unintended local file access, overwriting outputs, or outbound requests to attacker-controlled resources.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The stated purpose focuses on HTML-to-PPTX conversion, but the docs also indicate support for remote image URLs and HTTP(S) fetching via requests. Undisclosed network retrieval can be abused for SSRF-like behavior, privacy leakage, or unexpected communication with external hosts when processing untrusted HTML.

Description-Behavior Mismatch

Medium

Confidence: 76% confidence
Finding: Advertising Playwright screenshot functionality in a skill primarily presented as a native shape converter expands the operational scope beyond what users may expect. Browser automation can introduce additional attack surface, including network access, script execution in rendered pages, and accidental handling of active web content.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The converter issues HTTP(S) requests to attacker-controlled URLs embedded in the input HTML via requests.get(src) with no allowlist, timeout, size limit, or network restrictions. This creates an SSRF-style outbound fetch primitive that can be abused for internal network probing, unexpected data egress, or denial of service through slow or large responses.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill fetches remote image URLs directly from untrusted HTML input without warning users that conversion may trigger outbound network access. In this context, an HTML-to-PPTX converter is expected to process local content, so hidden network activity makes the SSRF/privacy risk more dangerous because users and operators may run it in trusted environments with internal network reachability.

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-pptx>=0.6.21 beautifulsoup4>=4.12.0 pillow>=10.0.0 requests>=2.31.0
Confidence: 96% confidence
Finding: python-pptx>=0.6.21

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-pptx>=0.6.21 beautifulsoup4>=4.12.0 pillow>=10.0.0 requests>=2.31.0 cssutils>=2.7.0
Confidence: 96% confidence
Finding: beautifulsoup4>=4.12.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-pptx>=0.6.21 beautifulsoup4>=4.12.0 pillow>=10.0.0 requests>=2.31.0 cssutils>=2.7.0 premailer>=3.10.0
Confidence: 98% confidence
Finding: pillow>=10.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-pptx>=0.6.21 beautifulsoup4>=4.12.0 pillow>=10.0.0 requests>=2.31.0 cssutils>=2.7.0 premailer>=3.10.0 playwright>=1.40.0
Confidence: 97% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: beautifulsoup4>=4.12.0 pillow>=10.0.0 requests>=2.31.0 cssutils>=2.7.0 premailer>=3.10.0 playwright>=1.40.0
Confidence: 94% confidence
Finding: cssutils>=2.7.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pillow>=10.0.0 requests>=2.31.0 cssutils>=2.7.0 premailer>=3.10.0 playwright>=1.40.0
Confidence: 94% confidence
Finding: premailer>=3.10.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 cssutils>=2.7.0 premailer>=3.10.0 playwright>=1.40.0
Confidence: 97% confidence
Finding: playwright>=1.40.0

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 79% confidence
Finding: pillow

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 82% confidence
Finding: requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal