NanoBanana PPT Skills

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its PPT/video-generation purpose, but its setup and workflow create avoidable credential and privacy exposure risks.

Install only if you are comfortable sending source documents, generated slide images, and prompts to third-party AI providers. Do not paste real API keys into chat; configure them locally in a protected .env file or secret manager, use separate limited-scope keys, and rotate any key that was already shared in a prompt. Avoid using this skill on confidential, regulated, or customer-sensitive material unless those providers are approved for that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (18)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document includes a realistic-looking API key example and later recommends logging part of a key value. Even if intended as instructional content, publishing key-like strings can normalize unsafe handling, trigger accidental secret leakage, and lead users to expose credentials in logs or copy real secrets into documentation and terminals.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document overstates the safety of storing API keys in persistent shell startup files by calling the approach 'completely safe' and 'the most secure'. Shell rc files are plaintext, may be backed up, synced, or exposed through local compromise, and the document further normalizes insecure plaintext backup of secrets, which can mislead users into weaker secret-handling practices.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The guide claims GitHub submission is 'absolutely safe' and presents 0% leakage risk while also recommending commands such as 'echo $GEMINI_API_KEY' that expose the secret in the terminal and advising storage in plaintext rc files. These assurances can cause users to underestimate realistic disclosure paths such as shoulder-surfing, terminal logging, shell history, backups, screenshots, or accidental dotfile publication.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow explicitly tells the agent to accept a user-supplied file path and read the file contents, but it does not require any consent prompt, path restrictions, or validation. In an agent environment with local file access, this can lead to unintended disclosure of sensitive local files if a user or prompt induces access to arbitrary paths.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The workflow instructs saving generated images to local files with fixed naming but does not tell the user where files will be written, whether existing files may be overwritten, or how local artifacts are managed. This can cause unintended file creation, clutter, or overwrite risk in environments where the working directory contains important files.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The architecture explicitly shows user document content flowing into external AI services, but the documentation provides no warning about third-party data transfer, retention, or privacy implications. This is dangerous because users may unknowingly submit sensitive business, personal, or regulated content to external providers under terms they did not expect.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The document references storing API credentials in a .env file but does not warn that these secrets are sensitive or describe safe handling practices. This can lead users to commit secrets to source control, share output bundles containing credentials, or use insecure file permissions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The quickstart tells users to export a GEMINI_API_KEY but never states that this value is a sensitive secret that must not be committed to source control, pasted into shared logs, or embedded in files. In a developer onboarding context, this omission can lead to accidental credential exposure, especially when users copy commands into shell history, screenshots, CI configs, or public repositories.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The README explicitly instructs users to paste real API keys into a prompt sent to Claude Code, which encourages disclosure of secrets through natural-language interaction rather than direct local configuration. This increases the chance that credentials are exposed to logs, conversation history, screenshots, or unintended downstream handling by tooling.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill-install flow repeats the unsafe pattern of asking users to provide their API keys directly to Claude Code as part of the installation prompt. Repetition in a skill context makes unsafe secret-sharing look like the recommended setup path and normalizes credential exposure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document explicitly tells users to run `echo $GEMINI_API_KEY`, which exposes the secret in cleartext on-screen and can leak it through terminal recording, screen sharing, scrollback, or shell auditing/logging setups. While this is framed as troubleshooting, it unnecessarily encourages direct disclosure of a live API credential.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to send user-provided document content to external AI providers for image and video generation, but the description does not clearly warn users that their documents, prompts, and possibly generated assets will leave the local environment and be processed by third parties. This creates a meaningful privacy and data-governance risk, especially if users provide confidential business materials without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The module base64-encodes slide images and sends them to the Anthropic API for analysis, but the code provides no user-facing notice, consent flow, or data-handling disclosure before transmitting potentially sensitive presentation content to a third party. If slides contain confidential business data, PII, or regulated information, users may unknowingly expose that data externally.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The code passes FFmpeg the -y flag, which overwrites existing output files without confirmation. If output_path is user-controlled or points to an important file, this can cause unintended data loss or destructive file replacement, especially in automated agent workflows.

Ssd 3

High

Confidence: 99% confidence
Finding: The README tells users to replace placeholders with real API keys and send the completed prompt to Claude Code, directly encouraging sensitive credential disclosure in natural language. In an agent-skill context, this is especially risky because users may assume the assistant is the proper channel for handling secrets, leading to avoidable leakage.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill-installation example again instructs the user to provide API keys directly to Claude Code, creating a second clear pathway for credential disclosure. Because this is framed as the easiest installation method for a persistent local skill, it increases the likelihood that users will expose long-lived secrets during setup.

Credential Access

High

Category: Privilege Escalation
Content: # 2. .env 文件（备用方案） if [ -z "$GEMINI_API_KEY" ]; then # 系统环境变量未设置，尝试从 .env 文件加载 if [ -f "$SCRIPT_DIR/.env" ]; then echo "📌 从 .env 文件加载API密钥" export $(cat "$SCRIPT_DIR/.env" | grep -v '^#' | xargs)
Confidence: 96% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: if [ -z "$GEMINI_API_KEY" ]; then # 系统环境变量未设置，尝试从 .env 文件加载 if [ -f "$SCRIPT_DIR/.env" ]; then echo "📌 从 .env 文件加载API密钥" export $(cat "$SCRIPT_DIR/.env" | grep -v '^#' | xargs) else echo "❌ 错误: API密钥未配置"
Confidence: 95% confidence
Finding: .env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal