Back to skill

Security audit

一句话生成PPT

Security checks across malware telemetry and agentic risk

Overview

This slide-generation skill appears purpose-aligned, but it needs Review because it can use a local Gemini API key and send slide content or personal images to an external AI service without strong user-facing consent controls.

Install only if you are comfortable with Gemini processing the prompts, slide text, reference images, and any personal photo placed in assets/character. Use a limited Gemini API key, avoid confidential decks unless external processing is acceptable, and verify that helper scripts run from the installed skill directory rather than an unintended matching path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill invokes external scripts, reads environment variables, and uses network-backed image generation, yet it declares no permissions or capability disclosures. This creates a transparency and consent problem: users and the host system cannot accurately assess that the skill will access local secrets and send data externally before use.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs reading a credential directly from the user's local ~/.claude/.env file and exporting it into the shell environment. Accessing local secrets is sensitive behavior; if normalized without explicit permission boundaries, it can expose API keys to unintended scripts, logs, subprocesses, or future workflow steps.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This repeats the same unsafe credential-access pattern for Path A image generation. Repetition across workflow branches increases the chance that sensitive keys are accessed automatically and used without the user's informed consent each time illustrations are generated.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This is the same credential-harvesting pattern in Path B, where all slides are generated through an external API. Because Path B may send complete slide content and imagery, the combination of secret access and bulk external transmission materially raises confidentiality risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This template explicitly instructs users to export a local API key from `~/.claude/.env` into the shell environment and run commands, which encourages handling of secrets outside a controlled secret-management flow. In an agent skill context, operational guidance that references local secret files materially increases the risk of credential exposure, accidental exfiltration, or normalization of unsafe secret-handling practices.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill directs prompts and reference images to an external image-generation service but does not clearly warn users that their content may leave the local environment. This can expose confidential presentation material, proprietary designs, or personal imagery to third-party processing without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow can automatically generate a character sheet from a user's personal photo, which is sensitive biometric/personal data, without a strong privacy warning or explicit opt-in tied to external processing. In context, this is more dangerous because the skill is a presentation tool, so users may not expect portrait data to be transmitted to a third-party AI service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code opens attacker-controlled local HTML via Playwright using a file:// URL, which causes Chromium to parse and execute the page in a real browser context. Even though the function is intended for HTML-to-PPT conversion, embedded scripts, remote images/fonts/CSS, and other external resources can trigger network access or local file interactions during rendering, creating SSRF/privacy-leak and potentially broader browser-sandbox attack surface if untrusted HTML is accepted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.