Back to skill

Security audit

Slide Creator

Security checks across malware telemetry and agentic risk

Overview

This slide generator largely matches its purpose, but it includes under-disclosed save/write behavior and an unrelated privileged desktop preload file that deserve review before installation.

Review before installing. The core slide-generation workflow appears legitimate, but generated decks should be treated as active HTML, not purely static files: they can load Google Fonts and Ctrl/Cmd+S may send the full edited deck back to the page URL before downloading a copy. Avoid hosting generated decks on origins that accept unauthenticated PUT, and remove or ignore the unrelated preload.cjs unless you know your desktop host will not load it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (63)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def test_export_script_importable(export_script):
    """export-pptx.py must be importable (syntax check)."""
    result = subprocess.run(
        [sys.executable, "-c", f"import ast; ast.parse(open('{export_script}').read())"],
        capture_output=True, text=True
    )
Confidence
86% confidence
Finding
result = subprocess.run( [sys.executable, "-c", f"import ast; ast.parse(open('{export_script}').read())"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
native_script = export_script.parent / "export-native-pptx.py"
    assert native_script.exists(), f"export-native-pptx.py not found at {native_script}"

    result = subprocess.run(
        [sys.executable, "-c",
         f"import importlib.util; "
         f"spec = importlib.util.spec_from_file_location('m', '{native_script}'); "
Confidence
90% confidence
Finding
result = subprocess.run( [sys.executable, "-c", f"import importlib.util; " f"spec = importlib.util.spec_from_file_location('m', '{native_script}'); " f"mod = imp

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and operationally relies on powerful capabilities including file read/write, shell, network, and environment access, yet the metadata does not declare any permissions or capability boundaries. That creates a transparency and governance failure: users and platforms cannot accurately assess or constrain what the skill may do, increasing the risk of unintended file modification, command execution, data exfiltration, or network access during normal use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The documented purpose is slide generation, but the skill instructions describe substantially broader behavior including validation pipelines, auditing, regression/eval artifacts, contract checks, and release-style gatekeeping. This mismatch is security-relevant because it obscures the true operational surface area and can cause users or hosting systems to grant trust to a skill that performs more extensive analysis, file operations, and execution steps than its description suggests.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The page performs a direct PUT to location.pathname with the full HTML document contents when the user presses Ctrl/Cmd+S in edit mode. In environments that expose writable local/workspace files over HTTP, this can overwrite the served file unexpectedly, enabling content tampering or persistence of untrusted edits beyond a normal presentation workflow.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The HTML deck fetches fonts from Google-hosted CDNs, which makes the file non-self-contained and causes outbound network requests when opened. While not an active code-execution flaw, this creates a privacy/supply-chain exposure and contradicts the product's 'zero-dependency' positioning, which can mislead users deploying decks in offline or sensitive environments.

Intent-Code Divergence

Low
Confidence
97% confidence
Finding
The presentation claims the output is 'self-contained' and has 'zero dependencies,' but the document imports external fonts, so the claim is materially inaccurate. In a security context this matters because users may trust the file in restricted, offline, or privacy-sensitive settings and unknowingly permit third-party requests.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill advertises that the presentation is just a local HTML file, but the editor silently attempts an HTTP PUT to the current path when saving. In a hosted environment, this can send edited slide contents and speaker notes to a server endpoint unexpectedly, creating undisclosed network exfiltration and possible unintended remote modification behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The page serializes the full DOM and attempts to overwrite the currently served HTML resource via an unauthenticated HTTP PUT to location.pathname. If this file is hosted behind a permissive or misconfigured server that accepts PUT, ordinary page interaction could modify server content unexpectedly, enabling content tampering or persistence of injected edits.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The template enables in-browser editing of slide content and then attempts to overwrite the current file via an HTTP PUT to location.pathname. In contexts where these HTML files are hosted on a server that accepts PUT or where local tooling proxies writes, this can become an unintended arbitrary content modification path, expanding the skill from static slide generation into live file editing and server-side overwrite behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The save routine attempts an HTTP PUT to the current page path before falling back to a download. A presentation template should not silently attempt network write-back, because when served from a writable origin this can modify hosted content or trigger unintended authenticated state-changing requests against the same origin without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The page includes same-origin HTTP write capability via a PUT to location.pathname, which is not necessary for merely viewing a slide deck. In environments where the HTML is served from a writable endpoint, any script executing in the page context—including future injected code or compromised dependencies—could overwrite server-side content, turning a presentation into a content-modification primitive.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file claims to be a simple browser-openable HTML presentation, but Ctrl+S triggers code that attempts to overwrite the hosted HTML via an HTTP PUT to the current path. That introduces unexpected server-side write behavior from a document that users would reasonably treat as static content, and could modify content on misconfigured servers or local editing environments without clear consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Using fetch(..., { method: 'PUT' }) gives the presentation the ability to attempt writes back to its source URL, which exceeds the stated purpose of viewing/editing slides locally. If served from an environment that accepts PUT, this can alter hosted content or create an unsafe write primitive from a page that appears to be static.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The file repeatedly claims to be a single self-contained, zero-dependency HTML presentation, yet it fetches a Google Fonts stylesheet and preconnects to external Google domains. This mismatch can break offline use, leak viewer metadata to third parties, and violates supply-chain expectations for a supposedly standalone artifact.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The HTML deck includes a built-in edit mode that makes slide text content editable in the browser and supports persistence of those changes. That exceeds the stated purpose of generating/viewing slides and creates an unexpected file-modification capability, which can alter local or hosted content without clear user disclosure or access controls.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The save routine issues an HTTP PUT to the current path, attempting to overwrite the served HTML document in place. If this deck is hosted in an environment that accepts such writes, a user opening the file and triggering save could modify published content or stored artifacts, enabling unauthorized tampering and persistence beyond the browser session.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This deck is not just rendering static slides: it enables in-browser editing of slide text and speaker notes, then couples that with persistence logic. In a presentation skill, this materially expands the attack surface because untrusted rendered content can be modified and later saved as authoritative HTML, creating integrity and supply-chain risk beyond normal viewing behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The saveFile() function performs write-capable persistence by issuing a PUT to the current path and, on failure, exporting a replacement HTML file. In the context of a slide-rendering skill, write-back to the served file is dangerous because any opened deck becomes an editor capable of altering stored artifacts, enabling unauthorized modification or persistence of tampered content if the hosting environment accepts the request.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file embeds an editing mode that makes slide text contenteditable and allows speaker notes to be modified in-browser, which expands the skill from passive slide rendering into document mutation. In a skill whose stated purpose is generating HTML slides, this extra capability increases attack surface and can enable unauthorized content changes, persistence attempts, or abuse in environments that serve the file from writable origins.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The saveFile() function issues a PUT request to location.pathname with the full HTML document body, attempting to overwrite the hosted presentation. If deployed on an origin that permits PUT or is fronted by permissive middleware, this creates a self-modifying page capability that can be abused for unauthorized file overwrite, defacement, or stored-content injection.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements a built-in edit mode that makes slide text and speaker notes directly mutable in the browser, which exceeds the expected scope of a slide rendering template. In this skill context, adding undisclosed content-editing capability increases attack surface and creates integrity risks, especially because it pairs with persistence logic that can modify the underlying HTML artifact.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The saveFile() function serializes the entire live DOM and attempts to overwrite the current HTML file using HTTP PUT to location.pathname. This grants the deck active write capability to its own served resource, which is far beyond what a presentation template needs and can enable unauthorized content replacement, persistence of injected edits, or tampering with trusted artifacts when hosted in environments that accept PUT.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The generated slide deck contains a full in-browser editing mode that enables arbitrary modification of rendered content and notes, which exceeds a presentation-only artifact. In this skill context, the danger increases because the editor is bundled into generated output by default, creating an unexpected capability boundary where a viewed slide can become a mutable document with persistence behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The save routine attempts to write the current HTML back to its own path via an HTTP PUT request, which is a direct file-modification capability from within the browser. If the deck is hosted in an environment that accepts PUT or maps the path to writable content, an attacker or accidental user action could alter served artifacts, deface content, or persist injected changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/run_evals.py:40

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_audit_style_consistency_autofix.py:13

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_export_integration.py:123

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_family_demo_strict_validate.py:28

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_main_cli.py:19

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_skill_eval_runner.py:32

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_title_profile_registry.py:28

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_validate_console_output.py:15

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_validate_css_vars.py:17

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_validate_default_chrome.py:17

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_validate_js_engine_contract.py:17

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_validate_priority_preset_contracts.py:17

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_validate_title_balance.py:17

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_validate_visual_variety.py:17