Deck Builder

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only deck-building skill that creates slide images and assembles a PowerPoint, with no evidence of hidden access, persistence, credential use, or exfiltration.

Install only if you want an agent to create PowerPoint decks through downstream slide-generation tools. Specify the slide count, style, and content boundaries up front, and avoid putting sensitive information into the prompt unless you are comfortable with it being passed through the deck-generation workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description is extremely broad ('AI agent for deck builder tasks') and does not define clear trigger conditions, inputs, or safety boundaries. In an agent ecosystem, this can cause over-invocation or invocation in contexts where file generation and tool use were not explicitly intended by the user, increasing the chance of unauthorized actions or misuse.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions explicitly direct the agent to generate slide assets, stitch them into a .pptx, and submit the result, but there is no requirement to disclose to the user that a file will be created and delivered. This is risky because it enables silent file creation and multi-step tool execution, which can surprise users, bypass informed consent, and expand the blast radius if the skill is invoked inappropriately.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal