Back to skill

Security audit

PPT压缩大师!自动压缩PPT里面的视频和图片素材,压缩率高达 90%!

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real PPT compression tool, but it needs review because it can change the Python environment and download executable ffmpeg binaries without integrity checks.

Install only if you are comfortable running local Python code that processes your PPT files and may install dependencies. Prefer using a trusted system ffmpeg or verifying downloaded ffmpeg binaries yourself, install Pillow explicitly in a virtual environment, and avoid following python -c templates with untrusted filenames or message text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print("[INFO] Pillow not found. Installing...")
        try:
            result = subprocess.run(
                [sys.executable, '-m', 'pip', 'install', 'Pillow', '-q'],
                capture_output=True, text=True, timeout=120
            )
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, '-m', 'pip', 'install', 'Pillow', '-q'], capture_output=True, text=True, timeout=120 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read and write user-supplied files, execute shell/Python commands, and perform network downloads, yet it declares no permissions or safety boundaries. This is dangerous because it hides high-risk capabilities from the platform and users, increasing the chance of unauthorized file modification, command execution, or external binary retrieval without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is PPT compression, but the skill also downloads ffmpeg from external sources, auto-installs Pillow via pip, and extracts paths from arbitrary user text. Those extra behaviors materially expand the trust and attack surface beyond simple local media processing, especially because they introduce supply-chain risk and implicit execution/network activity not clearly disclosed in the core purpose.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Auto-installing Pillow via pip introduces outbound package retrieval and arbitrary third-party code execution capabilities that are unrelated to the core task of compressing a PPT. In a skill/agent environment, this is more dangerous because the user expects local document processing, not hidden dependency installation that changes the system state and broadens attack surface.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill tells the agent to create a compressed PPT and alter embedded media without prominently warning the user that a new file will be written and media content may change in quality or compatibility. This is dangerous because users may unintentionally authorize destructive or lossy processing of sensitive presentation assets without understanding the side effects.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The callable API can trigger pip installation without prior user consent or a strong warning, causing silent environment modification and potential network access. For an autonomous agent skill, this is a significant policy and security concern because a simple file-processing request can unexpectedly install software and execute setup code from external packages.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script downloads executable binaries from third-party URLs and places them into a local bin directory without any integrity verification such as pinned checksums or signature validation. If the upstream source, transport path, or DNS/TLS trust chain is compromised, users could end up executing a trojaned ffmpeg/ffprobe binary, resulting in arbitrary code execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.