kai-slide-creator

Security checks across malware telemetry and agentic risk

Overview

This is a real slide-deck generator, but its generated decks can make undeclared third-party font requests and may try to save edited HTML back to the current URL.

Review before installing if you need strictly offline or privacy-sensitive decks. Use a dedicated resources/assets folder, avoid putting unrelated sensitive files there, remove or self-host remote font links for offline use, and do not host generated decks on endpoints that accept PUT unless you intentionally want Ctrl/Cmd+S to write back to the server.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (44)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The save routine intercepts Ctrl/Cmd+S and issues a PUT request to the current pathname, attempting to overwrite the served HTML resource. That creates an undocumented write side effect and can modify server-hosted content when the page is served from an endpoint that accepts PUT, which is riskier than the deck's stated browser-local editing model suggests.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: In-place overwrite of the current resource is outside the expected trust boundary for a presentation viewer/editor and is triggered by a common shortcut. If deployed on an environment that supports PUT to the same path, this could alter or deface content unexpectedly and violates least surprise.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The deck text tells users edits are saved via 'Save Page As' or DevTools copy, but the implementation silently attempts a network PUT on Ctrl/Cmd+S. This mismatch is dangerous because users cannot make an informed decision about whether pressing save will trigger a remote write attempt.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The file advertises browser-local, zero-server editing, but Ctrl+S triggers a network write attempt via HTTP PUT to the current path. In a served environment where PUT is accepted, this could overwrite hosted content unexpectedly and violates user expectations about purely local behavior.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The file claims zero-dependency/browser-only operation, but it fetches fonts from fonts.googleapis.com at runtime. This is a real supply-chain/privacy concern because opening the deck causes network access to a third party, which breaks offline expectations and can leak viewer metadata such as IP address and user agent.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The on-page text advertises 'Zero-dependency HTML presentations' while the document includes a remote Google Fonts dependency. That mismatch is security-relevant because users may trust the file as fully local/offline and open it in restricted environments, unknowingly triggering third-party requests.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file advertises zero-dependency/browser-only behavior, but it fetches Google Fonts at runtime via external network requests. This is a real integrity and privacy issue because rendering depends on third-party availability and leaks viewer metadata to an external service, though it is not a direct code-execution vulnerability.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The slide text claims there are no external dependencies, but the page loads Google Fonts from external origins. This mismatch can mislead users into trusting the file as fully local/offline-safe when it still performs network access, creating avoidable privacy and supply-chain exposure.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file claims zero-dependency / fully browser-run behavior, but it fetches Google Fonts from external domains at runtime. This creates a privacy and availability dependency: opening the deck leaks network metadata to third parties and the presentation may render inconsistently or fail to match expectations in offline or restricted environments.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The file imports Google Fonts from external domains while the deck copy claims a zero-dependency, offline, single-file presentation. This is a real integrity/privacy issue because opening the deck causes network requests that can fail offline and leak access metadata, contradicting the advertised behavior.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The slide text explicitly says there are no CDN calls and that the presentation works offline, but the page still fetches Google Fonts. This mismatch can mislead users into trusting the artifact in offline or privacy-sensitive environments where unexpected network egress matters.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The slide advertises that Ctrl+S saves changes back to the HTML file, but the implementation only attempts an HTTP PUT to the current path and otherwise downloads a replacement file. This is a deceptive and potentially unsafe UX because users may believe edits were persisted in place when they were not, causing data loss or unexpected overwrite attempts against a served file.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The file claims 'zero dependencies' and 'zero cloud' while fetching Google Fonts from external domains at runtime. This creates a real integrity/privacy issue because viewing the deck leaks network metadata to third parties and makes the presentation depend on remote availability, even if the risk is limited to tracking, policy violations, or broken rendering rather than code execution.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file markets itself as zero-dependency and fully browser-local, but it loads a third-party stylesheet from Fontshare and includes an external GitHub link. This is a real trust and privacy discrepancy because opening the deck can trigger network requests that leak metadata such as IP address, user agent, and referrer, even though no obvious data exfiltration code is present.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The slide claims '0 Dependencies' and 'No tracking,' but the document imports a third-party font stylesheet. That creates an external dependency and causes unsolicited network contact, which can undermine user expectations around privacy and offline use.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file advertises '零依赖 HTML' and '无跟踪', but it loads a remote stylesheet from api.fontshare.com. Opening the page causes a third-party network request that leaks viewer metadata such as IP address, user agent, and referrer, and also creates a real runtime dependency on an external service. In a local/offline/privacy-sensitive presentation skill, that mismatch is security-relevant because users may trust the claim and open it in restricted environments.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The slide content explicitly claims '0 dependencies' and 'no tracking' while the document still imports a remote font stylesheet. This is a deceptive privacy/integrity issue: users are told the file is self-contained and tracking-free, but rendering it triggers external communication. In the context of a tool marketed as zero-dependency browser-only output, that makes the claim more dangerous because it encourages trust-based use.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The file claims to be zero-dependency, but it loads Google Fonts from a third-party origin. This creates a network dependency and leaks viewer metadata such as IP address and user agent to Google, which contradicts the presentation's stated offline/self-contained properties.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The slide text says the deck runs entirely in the browser with no installs, but the document still depends on externally fetched assets. This can mislead users about privacy, offline availability, and supply-chain exposure from third-party content.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The style reference instructs the generator to load fonts from fonts.googleapis.com, which violates the skill's zero-dependency claim and introduces an external network dependency. This can leak user IP/addressing metadata, fail in offline or restricted environments, and create a supply-chain/privacy risk if generated presentations automatically fetch third-party assets.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This documentation directs use of externally hosted fonts while the manifest promises zero-dependency HTML, creating a misleading security and deployment contract. Consumers may trust the output to be self-contained, but generated files could perform third-party requests, causing privacy exposure, breakage under CSP/offline use, and compliance issues in locked-down environments.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The template instructs generated presentations to include an in-browser edit mode with persistence logic, expanding the skill from presentation generation into document modification. That increases the attack surface and enables generated artifacts to alter content after creation, which is not necessary for the stated purpose and can surprise users or downstream systems.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The `saveFile()` pattern performs a direct `fetch(location.pathname, { method: 'PUT' ... })`, causing generated HTML to attempt overwriting the file at its own URL. In environments where such requests are accepted, this becomes arbitrary content modification from a locally opened/generated artifact, which can be abused for unauthorized file replacement or persistence.

Context-Inappropriate Capability

Low

Confidence: 87% confidence
Finding: Invoking `open [filename].html` causes the skill to trigger an OS-level action outside pure content generation. Even though the action is low risk, it crosses a trust boundary by launching a local application without explicit confirmation, which can surprise users and normalize autonomous system interaction.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The template claims to be 'zero-dependency' but loads Google Fonts from external domains at runtime, creating a supply-chain and privacy dependency that can leak viewer IP/User-Agent data and fail in offline or restricted environments. In a presentation generator, this is not remote code execution, but it is a real integrity/privacy issue because the rendered document is no longer self-contained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal