Security audit

pptx

Security checks across malware telemetry and agentic risk

Overview

This is a PowerPoint helper skill with expected local file-editing risks, not evidence of hidden theft, persistence, or destructive behavior outside the presentation workflow.

Install only if you want an agent to create or modify PowerPoint files locally. Work in a dedicated folder, keep backups of original decks, review replacement JSON before applying it, choose output paths carefully, and avoid rendering untrusted HTML or Office files outside a sandboxed environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly instructs use of shell commands, file reads/writes, and environment-dependent tooling, yet it declares no permissions. That creates a trust-boundary problem: an orchestrator or reviewer may assume the skill is low-risk while it can actually unpack archives, modify files, and invoke external programs. In a skill system, undeclared capabilities increase the chance of unintended invocation and insufficient sandboxing.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The public description frames the skill as handling PPTX work, but the instructions cover broader OOXML and external-tool workflows that can touch other Office formats and perform low-level archive manipulation. This mismatch can cause users or automation to approve the skill for a narrow use case while it actually has a wider operational footprint, including repacking document structures and invoking multiple converters. The issue is primarily deceptive scope and overreach rather than a direct exploit primitive.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrase 'any other presentation tasks' is overly broad and can cause this skill to activate for loosely related requests. Because the skill includes shell execution, file manipulation, and document transformation workflows, broad routing increases the chance that high-capability behavior is invoked when a narrower or safer tool would suffice. In agent systems, overbroad activation criteria are a real security and safety concern.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented behavior automatically clears text from every inventoried shape not present in the replacement JSON, which is destructive by default. Without a strong warning and safer default, a partial or mistaken replacement file can silently erase substantial presentation content. This is especially risky in automated agent flows where omission may be accidental rather than intentional.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document gives explicit deletion instructions for slides, relationships, content type entries, and media cleanup without telling the agent to confirm destructive actions with the user or preserve a backup. In a presentation-editing skill, that can lead to irreversible content loss if the model applies the guidance too aggressively or misunderstands the user's intent.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The validation checklist recommends removing unreferenced media, fonts, and notes directories, which is a destructive cleanup step. Without warning that references may be indirect or that template assets may still be needed, an agent could delete required resources and corrupt the presentation or discard user data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The function opens a caller-controlled local HTML file in a full browser context via Playwright using a file:// URL. Rendering attacker-supplied HTML can execute embedded JavaScript and trigger access to local files or network resources from the host environment, which is especially risky in an agent skill that may process untrusted presentation inputs automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.