Back to skill

Security audit

chatppt-agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ChatPPT CLI guide for generating presentations, but users should treat uploaded documents and login/config data as shared with a third-party service.

Install only if you trust ChatPPT and the @yooai/cli package. Do not upload confidential, regulated, or secret-containing documents unless third-party processing is approved; avoid sharing config output or credentials; use logout or remove the local config when you no longer want the CLI authenticated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to upload local Word/PDF/Markdown/text files to an external PPT-generation service, but it does not clearly disclose that file contents leave the local environment and are transmitted to a third party. Users may unknowingly submit sensitive documents, creating a confidentiality and privacy risk, especially in enterprise environments where local files often contain proprietary or regulated data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.