Back to skill

Security audit

Codex PPT

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PPT generator that creates local deck files and, when configured, uses image-generation APIs to make slide images.

Install only if you are comfortable with a skill that creates local project files, installs a small Python runtime, and may send slide prompts or source images to OpenAI or a configured compatible image provider. For sensitive decks, prefer the built-in image tool when available and verify OPENAI_BASE_URL before using API fallback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares access to environment variables, files, network, and shell-capable tooling in metadata and workflow, but it does not declare permissions or prominently constrain those capabilities for users. That creates a transparency and least-privilege problem: a user may invoke what appears to be a simple presentation generator while it can read configuration, write project files, call external APIs, and run local scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose presents the skill as a deck generator, but the actual behavior includes API calls, runtime/environment setup, .env handling, endpoint checks, state mutation across subagents, and image post-processing. This mismatch is dangerous because users and reviewers may underestimate the skill's ability to exfiltrate content to external services, alter local configuration, or modify workflow state and project files beyond what the description suggests.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script explicitly supports reading OPENAI_API_KEY and sending prompts and image inputs to a configurable OPENAI_BASE_URL, including third-party proxy providers. That creates a real data-exfiltration and trust-boundary risk because user content and credentials may be sent outside the expected first-party service, which is broader than a simple deck-generation skill.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The workflow states that the skill may use the current working directory or source-file directory and later creates project artifacts, but it does not clearly warn users that files may be created or overwritten there. This can cause accidental data loss or confusing workspace changes, especially in shared or important directories.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This provider forwards prompts, payload data, and local image/mask file contents to a remote OpenAI-compatible endpoint, but this code does not enforce any consent, disclosure, or destination validation. In a presentation-generation skill, inputs may contain proprietary reports, papers, or notes, so silent transmission to arbitrary base_url endpoints can create confidentiality and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.