Back to skill

Security audit

Sum2Slides Lite

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a conversation-to-PPT tool, but its code can try external Feishu sharing by default and includes under-scoped messaging and credential-handling behavior users should review first.

Install only if you are comfortable reviewing the code and using it in local-only mode first. Do not configure Feishu credentials for sensitive conversations unless you intend uploads, verify the actual destination before sharing, and avoid storing app secrets in plaintext config files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill metadata declares no required environment permissions, yet the documented and analyzed behavior includes environment variable access, file read/write, shell commands, and optional network use. This is dangerous because it prevents accurate informed consent: users may install a skill believing it is low-privilege when it can access broader capabilities, including secrets and network paths when enabled.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose claims a narrow function—summarizing conversations into PPT with optional Feishu upload—but the analyzed behavior includes system inspection, AppleScript/WPS automation, home-directory persistence, risk-record generation, and broader multi-platform upload scaffolding. This mismatch is dangerous because users may trust the skill for a simple local document task while it performs additional actions that expand attack surface, privacy exposure, and persistence beyond the advertised scope.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The file implements a broad multi-platform integration abstraction despite the skill being described as dialogue-to-PPT with optional Feishu upload. This capability expansion increases the attack surface and creates a mismatch between declared functionality and actual code behavior, which can enable unexpected outbound communication paths if other modules wire these integrations in.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The abstract interface includes arbitrary message-sending capabilities across multiple external platforms, which goes beyond a narrowly scoped PPT summarization skill. In a skill that processes conversation content, such generic outbound messaging primitives raise the risk of silent data exfiltration or unauthorized dissemination if invoked by downstream code.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The factory can instantiate integrations for many platforms not reflected in the stated skill scope, enabling broader external connectivity than users would reasonably expect. Even though this file is only a factory, centralizing undisclosed platform support materially expands reachable exfiltration and command channels when combined with the rest of the package.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description says Feishu use is for optional upload, but this file also implements active message sending via the Feishu IM API. That expands the capability from file export to outbound communication, which increases exfiltration and unexpected data-sharing risk if other parts of the skill pass summary text or sensitive content into this method.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Falling back to FEISHU_USER_ID from the environment creates an implicit recipient for outbound messages, even when no recipient was explicitly provided by the caller. In a skill whose stated purpose is PPT generation with optional upload, this hidden default makes unintended disclosure easier and obscures where data may be sent.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The script actively probes AppleScript automation capability by invoking System Events, which goes beyond passive environment inspection and touches a sensitive automation surface. For a tool described as summarizing conversations into PPT with optional Feishu upload, this broadens permissions discovery in a way that may surprise users and normalizes requesting automation privileges that could later be abused by related code.

Intent-Code Divergence

Low
Confidence
71% confidence
Finding
The module presents itself as a quick permission check, but it performs active network connectivity testing to open.feishu.cn and active AppleScript probing. This mismatch is risky because users may expect a harmless local diagnostic while the script actually reaches external services and exercises privileged OS automation paths.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The implementation sets `self.default_platform = "feishu"` and later replaces a missing `platform` argument with that default, so the normal workflow attempts an upload even when the user did not explicitly request sharing. This contradicts the stated 'optional upload' behavior and can cause conversation-derived content to be sent to an external service unexpectedly, creating a privacy and data-handling risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comment says upload happens only when a platform is specified, but earlier logic always assigns a default platform value (`feishu`) when none is provided. That mismatch is security-relevant because callers may trust the documented behavior and inadvertently trigger network sharing of generated PPTs containing conversation content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The uninstall section tells users to run a recursive forced deletion command but does not clearly warn that the action is irreversible or advise verifying the path before execution. Even though the target path is specific, documentation that normalizes `rm -rf` without safety guidance can cause accidental data loss, especially if users edit or mistype the path.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises Feishu upload support and requests app credentials, but it does not clearly warn that conversation content and generated documents may be transmitted to an external service. In a skill that summarizes potentially sensitive meetings or chats, this omission can cause users to unknowingly expose confidential data to Feishu or a third-party tenant.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The helper uploads and shares a local PPT file to an external platform with no explicit confirmation, consent gate, or safety check at the point of transfer. In a skill that processes user-provided content into files, this increases the risk of unintentional data exfiltration or oversharing if the function is invoked on sensitive material or with misconfigured platform credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document states that files can be uploaded to Feishu and share links returned, but it does not warn users that conversation-derived content and generated PPT files may leave the local environment and be transmitted to a third-party service. In a skill marketed as supporting local processing, omitting this disclosure can mislead users about privacy boundaries and cause unintended data exposure through uploads or shared links.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code serializes platform credentials such as Feishu app secrets and Slack bot tokens into a plaintext JSON config file under the user's home directory. If the file is exposed through weak filesystem permissions, backups, local compromise, or accidental sharing, those secrets can be reused to access third-party services and uploaded content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide advertises automatic Feishu upload and share-link generation without clearly warning that conversation content and generated PPT files will be transmitted to an external service. Users may unknowingly upload sensitive meeting notes, project plans, or client information outside the local environment, creating a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to place Feishu app credentials in config files but does not warn against committing them to version control or sharing those files. This creates a realistic secret-exposure path that could allow unauthorized API use, data access, or abuse of the connected Feishu application.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The command shown deletes matching PPTX files older than 30 days, but the guide does not warn that deletion is irreversible. Users may run it without fully understanding the scope and permanently remove important presentations or evidence needed for business records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reinstall instructions include deleting the local skill directory without stating that this removes local files and may be unrecoverable. Although scoped to one directory, undocumented destructive commands can still cause unintended data loss or user confusion.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Message text is transmitted to Feishu's messaging API, and unlike file upload this behavior is not clearly covered by the skill's stated purpose. Sending generated summaries or conversation-derived content to an external messaging endpoint without explicit user awareness can leak sensitive data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The test writes a PPTX file directly to the user's Desktop using a fixed path without an explicit warning, confirmation, or use of a temporary test directory. While this is not code execution or data exfiltration, it causes an unsolicited filesystem side effect and may overwrite user expectations about what a test is allowed to do.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The end-to-end test also saves a generated PPTX to the user's Desktop without prior disclosure or consent. In skill/plugin contexts, unexpected writes to user-facing locations are risky because they create persistent artifacts outside the project and can surprise users or violate least-surprise expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill can upload a generated PPT derived from user conversations to an external platform without any explicit privacy notice, consent prompt, or visibility into what data will be shared. Because the source material may include sensitive business discussions, credentials, personal data, or internal decisions, silent sharing increases the risk of unintended disclosure.

Ssd 3

Medium
Confidence
96% confidence
Finding
User input is printed directly to logs and also embedded into generated slide content without sanitization or data minimization. If users provide sensitive business, personal, or confidential information, it may be exposed in console logs, stored artifacts, or shared presentations beyond the original intended scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.exposed_secret_literal

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
docs/USER_GUIDE.md:364

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
INSTALL_SPECIFICATION.md:228

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
INSTALL.md:127

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
credentials_management.md:67