Gpt Image2 Ppt Skills

Security checks across malware telemetry and agentic risk

Overview

The skill’s presentation-generation purpose is mostly coherent, but it asks for broad agent execution and handles user templates and API keys in ways users should review carefully before installing.

Install only if you are comfortable with this skill running local conversion tools, using Docker/LibreOffice, calling remote AI endpoints with your slide/template content, and storing an API key on disk. Avoid using it with confidential decks unless you restrict endpoints and credentials, and review or disable the `codex exec --full-auto` backend and the installer’s `.env` backup behavior first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (16)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: copied_for_run = True try: mount_src = str(out_dir).replace("\\", "/") if sys.platform == "win32" else str(out_dir) subprocess.run( ["docker", "run", "--rm", "-v", f"{mount_src}:/work", "--entrypoint", "soffice",
Confidence: 89% confidence
Finding: subprocess.run( ["docker", "run", "--rm", "-v", f"{mount_src}:/work", "--entrypoint", "soffice", DOCKER_IMAGE,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and orchestrates broad capabilities including shell, network, file I/O, and environment-variable access, but does not declare permissions or boundaries. That creates a transparency and policy-enforcement gap: an agent may execute commands, read secrets, or write files in the course of normal use without users or a runtime policy layer having clear notice of those powers.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The optional backend instructs the agent to spawn `codex exec --full-auto`, effectively delegating work to a second autonomous agent process with broad execution semantics. This expands the trust boundary and can lead to uncontrolled command execution, network activity, or data exposure beyond what a PPT-generation skill minimally requires.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The backend delegates image generation to a general-purpose Codex agent instead of directly calling a constrained image API, which materially changes the skill's security properties. In this context, user prompts and file paths are handed to an autonomous tool that may perform broader actions than expected, creating capability mismatch and misleading trust assumptions.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The default command is `codex exec --full-auto`, which grants a general-purpose CLI agent autonomous execution privileges. In an image-generation skill, this is especially risky because untrusted prompt content is embedded into instructions for an agent that may access files, invoke tools, or take unintended side effects beyond generating an image.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation guidance is very broad and overlaps with common requests for presentations, decks, and slides, increasing the chance the skill auto-triggers in many contexts. Because the skill can invoke shell, network, and file operations, overbroad routing raises the likelihood of unintended execution and unnecessary exposure of user content or local resources.

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The README explicitly instructs users to place `OPENAI_API_KEY` into a `.env` file under the skill directory, but the warning is limited and does not clearly emphasize local secret storage risks, file permissions, backup/sync exposure, or accidental check-in. In a skill ecosystem where agents may install and manage files automatically, this can lead to users disclosing credentials without understanding where they persist.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document instructs the agent to collect an OpenAI API key from the user and persist it into a local .env file, but it does not warn that the credential will be stored on disk, may be readable by other local processes/users depending on permissions, and could be left behind after installation. In an agent-install context, silently persisting secrets is risky because users may believe they are providing a transient credential only for immediate use.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The installer copies an existing .env file, which commonly contains API keys, into /tmp before deleting and recreating the skill directory. While the apparent goal is preserving user configuration, placing secrets in a shared temporary location can expose them to other local users or leave them behind if the script exits unexpectedly.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code forwards the full generated instruction, including prompt content and absolute output/reference file paths, to an external CLI agent without any clear minimization or user warning. If prompts or paths contain sensitive material, this broadens exposure to another tool boundary and may leak local filesystem structure or confidential content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code sends full slide images, including user-supplied template content, to a configurable remote vision endpoint via `requests.post` without any built-in consent flow, disclosure, or endpoint trust restriction. In this skill’s context, uploaded PPT templates may contain confidential business data, branding, or personal information, so silent off-device transmission creates a real privacy and data-governance risk.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The style file is written entirely in Chinese and its prompt template instructs the model to generate slide content in that language without any mechanism to honor the user's preferred language. In a presentation-generation skill, this can cause incorrect-language outputs, degrade usability, and create prompt-level behavior that overrides user intent, though it is not a direct code-execution or data-exfiltration issue.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The prompt template is written entirely in Chinese and explicitly directs the model in Chinese without indicating that it should preserve or adapt to the user's language. In a presentation-generation skill, this can cause unwanted language forcing, producing slides in Chinese even when the user asked in another language, which is a prompt-quality and policy-compliance issue rather than a code-execution flaw.

Credential Access

High

Category: Privilege Escalation
Content: print_info "取消" exit 0 fi # 备份用户的 .env if [ -f "$SKILL_DIR/.env" ]; then cp "$SKILL_DIR/.env" "/tmp/gpt-image2-ppt.env.bak" print_info "已备份现有 .env 到 /tmp/gpt-image2-ppt.env.bak"
Confidence: 90% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: exit 0 fi # 备份用户的 .env if [ -f "$SKILL_DIR/.env" ]; then cp "$SKILL_DIR/.env" "/tmp/gpt-image2-ppt.env.bak" print_info "已备份现有 .env 到 /tmp/gpt-image2-ppt.env.bak" fi
Confidence: 94% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: print_success "文件复制完成" # 恢复备份的 .env if [ -f "/tmp/gpt-image2-ppt.env.bak" ]; then mv "/tmp/gpt-image2-ppt.env.bak" "$SKILL_DIR/.env" print_success "已恢复用户 .env"
Confidence: 84% confidence
Finding: .env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal