HML Google Slides

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a Google Slides helper, but it asks for and handles broader Google account authority than its purpose needs.

Review before installing. Only use it with a Google account you intentionally select, avoid granting unrelated Google scopes, and do not run comment-resolve/reply or raw batch operations unless you understand exactly what will change. The evidence does not show malware or exfiltration, but the credential handling and overbroad Google authority need tightening.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill invokes shell commands, uses environment variables, and accesses Google network APIs, but it does not declare permissions or boundaries for those capabilities. In an agent setting, undeclared execution and network/auth capabilities reduce policy enforcement and user awareness, making accidental overreach or misuse of existing credentials more likely.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill claims Slides creation/edit/export behavior, but it also includes comment listing, resolution, and reply actions that affect collaboration metadata and user communications. This broadens the effective authority of the skill beyond the stated purpose, increasing the risk of unauthorized workflow changes, suppression of review comments, or impersonation-like replies under an authenticated account.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The re-auth instruction requests broad scopes for gmail, calendar, docs, sheets, contacts, tasks, and people, far beyond what is needed for Slides/Drive operations. If followed, this grants unnecessary access to unrelated sensitive data and services, so compromise or misuse of the agent or tokens would have a much larger blast radius.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill advertises Slides creation/edit/export, but it also accesses Drive comments and can read or resolve them. That is a scope expansion beyond the declared capability, increasing the chance that an agent or user invokes broader Google Drive privileges than expected and exposing comment content or modifying collaboration state.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: `cmd_batch` accepts an arbitrary JSON file of Slides API requests and forwards it directly to `batchUpdate`, enabling a much broader set of write operations than the advertised narrow helpers. In an agent context, this creates an overly general mutation primitive that can delete content, alter speaker notes, manipulate objects, or perform other unexpected presentation changes without policy gating.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill repeatedly directs operations through a specific authenticated identity and assumes access to that account's tokens without warning or consent. In a multi-user or shared agent environment, this can cause data access, edits, exports, and comment actions to occur under the wrong identity, exposing private content or modifying resources unintentionally.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: Hard-coding david@hml.tech as the default account forces operations into one identity without justification or flexibility. This increases the likelihood of unauthorized access or unintended actions against that account's Google resources, especially if the skill is reused outside the original author's environment.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The code exports OAuth material to a predictable temporary file at `/tmp/gog_slides_token.json` and then reads it back, without secure file creation, restrictive permissions, or cleanup. On multi-user systems this can expose refresh tokens to other local users via symlink attacks, file theft, or residual sensitive data left on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal