AI Presentation Maker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local presentation-making skill, with some privacy and HTML-export caveats users should understand.

Install only if you are comfortable with local presentation files being created under ~/workspace/presentations/. For sensitive environments, avoid or modify HTML exports because they may contact Google Fonts and may preserve untrusted HTML-like slide content. Review any use of SOUL.md or AGENTS.md before allowing the skill to prefill speaker details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill claims no network activity is required, yet its documented HTML output depends on Google Fonts CDN. In restricted or sensitive environments, this can cause unapproved outbound requests, leak usage metadata, and violate operator expectations about offline-only behavior.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill asserts it does not access files outside ~/workspace/presentations/, but setup and detection logic instructs reads of ~/workspace/SOUL.md and ~/workspace/AGENTS.md and checks other workspace files. This creates a trust boundary mismatch that can expose unrelated local context to the skill without the user's informed consent.

Context-Inappropriate Capability

Low

Confidence: 78% confidence
Finding: Reading AI Persona OS identity files is broader context ingestion than a presentation tool strictly needs, and those files may contain sensitive personal, operational, or agent configuration data. Even if intended for convenience, this expands data access beyond the minimum necessary scope.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The header comment claims all user input is sanitized, but cmd_save_meta and cmd_save_deck write attacker-controlled JSON and Markdown directly to disk. In this skill context, those stored files are later consumed by export tooling such as pandoc and Python scripts, so unsafe content can propagate into downstream processors and create injection or unsafe-rendering risk.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The catch-all trigger phrase 'or similar' makes invocation boundaries ambiguous, increasing the chance the skill runs on loosely related user prompts. Over-broad activation can cause unintended file operations, context collection, or deck generation actions when the user did not clearly request them.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Flexible natural-language command mapping without clear limits can lead to unintended skill invocation and action selection, especially where commands include edit, delete, archive, and export behaviors. In agent systems, ambiguity around command interpretation is a real safety issue because it can trigger side effects from casual language.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The generated HTML unconditionally loads a remote stylesheet from Google Fonts, which causes client browsers opening the exported deck to make network requests to a third party. This creates a privacy and supply-chain exposure: viewer IPs, user agents, and referrer context may be disclosed, and rendering depends on an external service the exporter does not control.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal