Security audit

ZM Image2PPT 视觉幻灯片生成

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it handles API keys, uploads slide/template content to configurable model services, and includes broad optional execution paths that deserve user review before installation.

Install only if you are comfortable with a deck-generation skill that can send slide text and template images to the OpenAI-compatible endpoints you configure. Avoid using confidential templates unless you trust those endpoints, prefer platform secret storage or manually managed environment variables over giving an agent your API key, and avoid the `--backend codex` and Docker template-rendering paths unless you understand their broader local authority.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (29)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: copied_for_run = True try: mount_src = str(out_dir).replace("\\", "/") if sys.platform == "win32" else str(out_dir) subprocess.run( ["docker", "run", "--rm", "-v", f"{mount_src}:/work", "--entrypoint", "soffice",
Confidence: 79% confidence
Finding: subprocess.run( ["docker", "run", "--rm", "-v", f"{mount_src}:/work", "--entrypoint", "soffice", DOCKER_IMAGE,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to read and write files, access environment-provided credentials, invoke shell commands, and make network calls, but it does not declare those permissions up front. That creates a transparency and least-privilege problem: a caller may invoke the skill without realizing it can clone repositories, load API keys from local .env locations, render PPTs via local tools or Docker, and send slide content to external model endpoints.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The guide explicitly instructs the agent to solicit an OpenAI API key from the user and persist it in a local .env file. Even if intended for normal setup, this expands the skill from slide generation into credential collection and storage, which increases the attack surface if the directory is later exposed, synced, logged, or reused by other tools.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This backend delegates image generation to `codex exec --full-auto`, which grants a general-purpose autonomous agent broad ability to interpret prompts and potentially perform additional actions beyond simple image creation. Because the instruction embeds untrusted prompt content and absolute filesystem paths, a prompt-injection or model-misbehavior path could cause unintended file access, command execution, or modification of local artifacts under the user's authority.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code accepts arbitrary URLs extracted from model output and fetches them with requests.get, which gives the skill a general outbound network retrieval capability beyond image generation. Because the model response is untrusted, this can be abused for SSRF-style access to internal services, unexpected data exfiltration routes, or downloading attacker-controlled content to disk.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The analyzer base64-encodes full slide images and sends them to a configurable external vision/chat-completions endpoint. PPT slides often contain confidential business data, branding, customer information, or unpublished content, so this creates a real data-exfiltration/privacy risk if users are not clearly warned and the endpoint is not tightly controlled.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The README encourages template-cloning of arbitrary .pptx files and explicitly supports vision analysis via external multimodal providers, but it does not clearly warn users that slide content may be rendered to images and sent to third-party APIs. In a presentation-generation skill, this creates a realistic risk of unintentional disclosure of confidential business data, customer information, or internal branding assets.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions tell the agent to request a secret and write it into a .env file, but they do not warn the user that the credential will be stored locally in plaintext. This creates a secrecy and consent problem: users may disclose a high-value API key without understanding persistence, backup, and accidental exposure risks.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The cleanup step recommends rm -rf on a temporary path without any cautionary note or validation. In an agent-executed context, destructive shell commands deserve extra care because path mistakes, variable substitution errors, or user modifications could cause unintended deletion.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Slide content and generated prompts are sent to a remote API, and the script is explicitly designed to support arbitrary OpenAI-compatible endpoints, including proxy services. Users may unknowingly disclose sensitive presentation content to third parties because there is no explicit consent flow, redaction step, or strong warning at the transmission point.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This code transmits full slide images and some template metadata to an external API without any user-facing consent or warning in the file's flow. In this skill context, templates are likely to be proprietary presentation assets, so silent off-host transmission materially increases confidentiality and compliance risk.

Ssd 3

Medium

Confidence: 94% confidence
Finding: This section provides a plain-language workflow for collecting and storing sensitive credentials, including the exact prompt the agent should use and the destination file. That makes the skill materially capable of handling secrets, which is risky in untrusted agent environments where chat logs, workspace files, or plugins may expose them.

External Transmission

Medium

Category: Data Exfiltration
Content: start_time = time.time() try: resp = requests.post( url, json=payload, headers=self.headers,
Confidence: 97% confidence
Finding: requests.post( url, json=

External Transmission

Medium

Category: Data Exfiltration
Content: last_err: Optional[Exception] = None for attempt in range(1, VISION_MAX_RETRIES + 1): try: resp = requests.post( self.endpoint, headers=headers, json=payload, timeout=VISION_TIMEOUT_SECS ) if resp.status_code != 200:
Confidence: 96% confidence
Finding: requests.post( self.endpoint, headers=headers, json=

Unvalidated Output Injection

High

Category: Output Handling
Content: print(f"🔗 [scene {scene_index}] dispatching to codex ({len(instruction)} chars)") try: result = subprocess.run( argv, capture_output=True, text=True,
Confidence: 93% confidence
Finding: subprocess.run( argv, capture_output

Credential Access

High

Category: Privilege Escalation
Content: 安装脚本是**交互式**的，如果目标目录已存在会问是否覆盖；agent 可以用 `yes | bash install_as_skill.sh` 自动选"是"，或先检查目录是否存在再决定。 ### 3. 只有在走 API 直连时才配置 .env 如果当前 agent 就是带原生图片生成能力的 Codex，可以跳过这一步，直接重启后走 `SKILL.md` 里的原生出图路径。
Confidence: 88% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: print_info "取消" exit 0 fi # 备份用户的 .env if [ -f "$SKILL_DIR/.env" ]; then cp "$SKILL_DIR/.env" "/tmp/gpt-image2-ppt.env.bak" print_info "已备份现有 .env 到 /tmp/gpt-image2-ppt.env.bak"
Confidence: 96% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: exit 0 fi # 备份用户的 .env if [ -f "$SKILL_DIR/.env" ]; then cp "$SKILL_DIR/.env" "/tmp/gpt-image2-ppt.env.bak" print_info "已备份现有 .env 到 /tmp/gpt-image2-ppt.env.bak" fi
Confidence: 98% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: print_success "文件复制完成" # 恢复备份的 .env if [ -f "/tmp/gpt-image2-ppt.env.bak" ]; then mv "/tmp/gpt-image2-ppt.env.bak" "$SKILL_DIR/.env" print_success "已恢复用户 .env"
Confidence: 95% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: # 恢复备份的 .env if [ -f "/tmp/gpt-image2-ppt.env.bak" ]; then mv "/tmp/gpt-image2-ppt.env.bak" "$SKILL_DIR/.env" print_success "已恢复用户 .env" fi
Confidence: 97% confidence
Finding: .env"

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31 python-dotenv>=1.0 python-pptx>=1.0 jsonschema>=4.0
Confidence: 97% confidence
Finding: requests>=2.31

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31 python-dotenv>=1.0 python-pptx>=1.0 jsonschema>=4.0 pymupdf>=1.24
Confidence: 96% confidence
Finding: python-dotenv>=1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31 python-dotenv>=1.0 python-pptx>=1.0 jsonschema>=4.0 pymupdf>=1.24
Confidence: 96% confidence
Finding: python-pptx>=1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31 python-dotenv>=1.0 python-pptx>=1.0 jsonschema>=4.0 pymupdf>=1.24
Confidence: 96% confidence
Finding: jsonschema>=4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-dotenv>=1.0 python-pptx>=1.0 jsonschema>=4.0 pymupdf>=1.24
Confidence: 96% confidence
Finding: pymupdf>=1.24

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal