基于课程内容说明生成图文并茂的的PPT

Security checks across malware telemetry and agentic risk

Overview

This PPT skill is mostly purpose-aligned, but it needs Review because it can send slide content to third-party services, persist prompts in outputs, and includes unsafe generation guidance without clear user control.

Install only if you are comfortable with slide titles, bullets, and related prompt content being sent to external image-generation services and possibly retained in local prompt files or PPTX speaker notes. Avoid confidential, regulated, or proprietary content unless you first disable or control networked image generation, review generated notes before sharing PPTX files, and keep any Git identity setup project-scoped rather than global.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises only high-level PPT functionality, but static analysis indicates access to environment variables, file writing, and network operations without declaring permissions. Undeclared capabilities reduce user visibility and informed consent, and in a skill that handles documents and media generation, they create a real risk of unexpected data access, remote data transfer, or filesystem modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The described behavior omits several materially relevant actions: external API calls for image generation, local file writes to the Desktop, browser automation for export, and embedding prompt content into PPTX speaker notes. This mismatch is dangerous because users may provide sensitive course or business content believing the skill only formats slides, while the implementation may transmit data externally, persist artifacts locally, or embed hidden metadata into deliverables.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The prompt explicitly instructs the model to generate stylistically similar alternatives for sensitive or copyrighted figures and says 'DO NOT refuse to generate,' which attempts to override normal safety or rights-respecting refusal behavior. In a slide-generation skill, this is not necessary for core functionality and creates a clear pathway for policy evasion around copyrighted or otherwise restricted depictions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to proactively perform web retrieval whenever user input is sparse, even though the skill's core purpose is generating course PPTs from teacher-provided material. This expands data flow and trust boundaries without explicit user consent, creating risks of pulling in inaccurate, copyrighted, or prompt-injection-laden external content into generated materials.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill advises running `git config --global user.email` and `git config --global user.name`, which changes persistent global user configuration outside the slide-deck project scope. Even though presented as error recovery, this is unrelated to core slide authoring and can modify the host environment in a way that affects other repositories, leaks identity data into future commits, or violates least-privilege expectations for an agent skill.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill description includes very broad trigger phrases such as 'create slides', 'make a presentation', 'generate deck', 'slide deck', and 'PPT', which can match many ordinary user requests and cause the skill to activate unintentionally. Because this skill can read local files, write prompts and outputs, and invoke external tooling for image generation and file merging, unintended invocation expands the chance of unnecessary file processing and tool execution in contexts where the user did not explicitly request this specific skill.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: This is a true policy-bypass issue because the wording directs the model to produce substitutes for sensitive or copyrighted figures specifically to avoid refusal. That normalizes non-compliance with content safeguards and could be used to generate infringing or disallowed lookalike imagery under the guise of presentation design.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill mandates online retrieval to supplement content but does not require explicit user notice or consent before contacting external sources. In an educational setting, this can leak user intent or sensitive course-preparation context and exposes the agent to untrusted remote content without transparency.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill advertises AI-generated images via MiniMax, but it does not clearly warn users that slide titles, bullets, and other presentation content may be transmitted to an external third-party API. This creates a real confidentiality and compliance risk because users may include proprietary business material, internal training content, or personal data in slides without informed consent about external data sharing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code builds prompts from slide titles, content, bullets, and chapters, then sends them to a third-party image-generation API. This can expose potentially sensitive or proprietary presentation content to an external service without explicit consent, notice, redaction, or policy controls.

Ssd 1

Medium

Confidence: 97% confidence
Finding: The prompt encourages bypassing refusal behavior by reframing prohibited or restricted requests as 'stylistically similar alternatives,' which is a classic safety-evasion pattern. Because this skill is intended for commercial and educational slide production, the instruction broadens misuse risk by embedding the bypass into a reusable base prompt rather than a one-off user request.

External Transmission

Medium

Category: Data Exfiltration
Content: # API配置 [api] provider = minimax api_url = https://api.minimaxi.com/v1/image_generation model = image-01 aspect_ratio = 16:9
Confidence: 84% confidence
Finding: https://api.minimaxi.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal