Back to skill

Security audit

Gamma

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Gamma.app integration that sends user-provided presentation or document content to Gamma's API, with privacy cautions but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending the prompts, documents, and file contents you explicitly provide to Gamma.app using your Gamma API key. Avoid submitting secrets, private keys, regulated data, or confidential business material unless your use of Gamma is approved, and do not let an agent choose local files autonomously for upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill exposes shell-based execution through documented script invocations but does not declare any corresponding permissions. This creates a capability/visibility mismatch: consumers or enforcement systems may treat the skill as less privileged than it really is, while the shell interface can process untrusted user-supplied content and environment-backed secrets such as GAMMA_API_KEY.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits user-supplied content to Gamma's external API, but it does not provide any explicit warning, confirmation, or redaction step before doing so. In an agent/skill context, users may assume local processing and could unintentionally send confidential, proprietary, or regulated data to a third party, creating privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.