Security audit

Pptx Generation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed PowerPoint-generation skill with expected .pptx file output and only minor usability cautions around broad triggers and file naming.

Before installing, expect the skill to create PowerPoint files when you ask for a presentation. Check the filename and destination before writing in shared workspaces, and avoid overwriting existing files or adding sensitive content to reusable templates unless it has been sanitized.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The skill metadata includes broad trigger phrases such as '制作PPT' and references to a meta-skill trigger, which can cause the skill to activate in situations where a user did not clearly intend file-generation behavior. Unintended invocation is more concerning here because the skill is designed to create output files and proceed through an execution workflow automatically.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill instructs that a .pptx file will be generated and saved, but it does not clearly warn the user in advance about file creation semantics, destination, overwrite behavior, or permission expectations. This can lead to surprise file writes, confusion about where artifacts are stored, or accidental overwriting when the skill is invoked unintentionally or in shared environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal