Back to skill

Security audit

Ppt Generator

Security checks across malware telemetry and agentic risk

Overview

This PPT-generation skill is purpose-aligned, but users should expect web lookups, local file creation, and possible tool installation when it runs.

Install this only if you are comfortable with the agent using web searches for sparse presentation topics, installing presentation-related dependencies, and writing PPT/preview files locally. For confidential business, medical, financial, or personal material, provide the source content yourself and ask the agent not to browse or to save outputs in a private directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill directs the agent to proactively browse and fetch external content whenever user input is sparse, expanding behavior beyond simple PPT generation into autonomous data collection. This can expose user-provided topics or sensitive business context to third-party services and introduces untrusted external content into outputs without user consent or clear scope limits.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list includes broad natural-language phrases such as '做PPT', '生成PPT', and '帮我做个PPT', which increases the chance of accidental activation in ordinary conversation. Unintended activation is more dangerous here because the skill can subsequently perform web retrieval and file generation, causing unanticipated external data disclosure or local side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mandates automatic web retrieval to enrich sparse prompts but gives no warning that user topics, business plans, or presentation details may be transmitted to external services. This creates a privacy and consent problem, especially for enterprise, medical, financial, or otherwise sensitive presentation subjects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill says it will save the PPT to the Desktop and generate preview images, but it does not warn users about local file writes and creation of additional artifacts. This can leak sensitive presentation content to shared machines, synced folders, or other local processes without the user's informed consent.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.