Pitch Deck Generator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but users should avoid submitting confidential startup details unless they trust the external API provider.

Use this only with startup information you are comfortable sending to a third-party pitch deck API. Consider generalizing revenue, traction, roadmap, team, and funding details, and avoid supplying a real userId unless needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly collects session identifiers, timestamps, and an optional user ID for tracking, audit, analytics, and personalization, but the documentation provides no user-facing disclosure about retention, sharing, purpose limitation, or privacy handling. This creates a genuine privacy and compliance risk because users may submit business-sensitive startup data alongside linkable identifiers without informed consent or clear data-governance boundaries.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The request schema collects sessionId, userId, and timestamp without any user-facing disclosure of why these identifiers are needed, how they are used, or whether they are stored or shared. In an agent-skill context, silent transmission of identifiers increases privacy risk, enables tracking/correlation across requests, and can lead to overcollection of personal or pseudonymous data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal