Back to skill

Security audit

Slides/PPT generation and voice narration

Security checks across malware telemetry and agentic risk

Overview

This is a coherent 2slides presentation tool, but users should understand that their slide content and API key are used with a third-party service.

Install this only if you are comfortable sending presentation text, document-derived summaries, reference image URLs or base64 images, job IDs, and related metadata to 2slides. Treat the 2slides API key as a secret, avoid sharing config files that contain it, prefer environment-based secret storage over URLs when possible, and choose download output paths carefully to avoid overwriting files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'download_url' from requests.post (line 83, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
print(f"Downloading ZIP archive to: {output_path}...", file=sys.stderr)

    zip_response = requests.get(download_url, stream=True, timeout=120)
    zip_response.raise_for_status()

    # Save to file
Confidence
89% confidence
Finding
zip_response = requests.get(download_url, stream=True, timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill requires access to environment variables and external network resources to operate, but no permissions are explicitly declared. That creates a transparency and governance gap: users and host systems may not realize the skill can read secrets like API keys and transmit user-provided content to a third-party service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose says presentation generation, but the documented behavior also includes narration generation and export of audio/transcript assets. This mismatch can cause users, policy engines, and reviewers to underestimate what data leaves the system and what artifacts the skill can create or retrieve from the external service.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill documentation expands from slide generation into voice narration and transcript export without reflecting that in the top-level description. Because narration and transcript handling involve additional potentially sensitive user data, the undocumented expansion increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages users to upload documents and provide reference image URLs, but it does not warn that those files and URLs will be transmitted to a third-party service for processing. This can lead to accidental disclosure of sensitive internal documents, confidential research, or private image assets because users may assume processing is local or privacy-neutral.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The API key setup instructions tell users to export the credential and persist it in shell startup files, but they do not include any warning about protecting the key or avoiding accidental disclosure. This increases the risk that users will expose the credential through shared dotfiles, screenshots, logs, or committing configuration files to version control.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger conditions are very broad and effectively match almost any presentation-related request. Overbroad activation increases the chance the skill is invoked unnecessarily, causing unintended transmission of user content or documents to a third-party API when a local or safer workflow would have sufficed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs sending user text, summarized document content, image URLs, and job metadata to an external API but does not provide a clear privacy or data-sharing warning. This is dangerous because users may unknowingly expose confidential business documents, proprietary images, or sensitive content to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation tells users to embed the API key directly in the MCP server URL query string, which increases the chance the secret will be exposed via config files, logs, browser/history artifacts, screenshots, telemetry, or error messages. In an MCP context this is especially risky because desktop agent configs are often copied, shared for troubleshooting, or checked into dotfile backups, making accidental credential disclosure more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends arbitrary user-provided content and optional design specifications to an external third-party API, but it provides no explicit disclosure or confirmation that the data will leave the local environment. In an agent skill context, users may supply sensitive business documents or personal information, making silent transmission to a remote service a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script opens the output path in write-binary mode without checking whether the file already exists, so an existing file can be silently overwritten. If an attacker can influence output_path or job_id, important local files in writable locations could be clobbered.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits user-provided slide content, and in the alternate path potentially reference-image data, to a third-party service without any explicit privacy notice or confirmation at the point of use. In an agent skill context, users may assume local processing, so this can cause unintended disclosure of sensitive business, personal, or confidential material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.