Back to skill

Security audit

学术汇报 PPT 生成技能 (Academic PPT Builder)

Security checks across malware telemetry and agentic risk

Overview

This skill is a benign academic presentation helper, with only a minor risk that broad PPT wording could activate it for non-academic slide requests.

Install this if you want help drafting academic presentation plans for thesis defenses, conference talks, grant reports, or paper-summary-to-PPT workflows. For generic business, teaching, or marketing decks, state that explicitly so the agent does not default to this academic structure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes very broad phrases such as “生成 PPT”, which can match many ordinary user requests unrelated to this specialized academic presentation skill. Over-broad activation can cause the agent to invoke the skill in unintended contexts, leading to scope hijacking, user confusion, or the skill overriding a more appropriate tool or safer default behavior.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The guidance says the skill should enter its workflow automatically whenever the user provides an academic presentation need, but it does not define firm boundaries or disambiguation checks. This makes activation ambiguous on underspecified inputs and increases the chance that the skill captures requests prematurely, possibly suppressing clarifying questions or competing skills better suited to the task.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill explicitly treats a minimal request like “帮我生成 PPT” as sufficient to trigger the 'from-zero' mode. A generic phrase like this is highly ambiguous and may refer to non-academic, non-research, or even unrelated formatting tasks, so the skill can activate outside its intended scope and steer the interaction incorrectly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.