Security audit

prose-to-deck

Security checks across malware telemetry and agentic risk

Overview

This skill coherently creates staged HTML presentation decks from user-provided prose, with disclosed file creation and review checkpoints.

Before installing, expect the skill to create files under a projects folder and to read the source text you provide. Review the generated HTML before sharing, especially if it uses external CDN fonts or libraries, and use review mode if you want approval checkpoints instead of the opt-in auto workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The instruction to "Fix issues silently" directs the agent to modify output without notifying the user, which can undermine user awareness, auditability, and consent over material changes. In a content-generation skill, silent edits may alter meaning, attribution, or presentation choices in ways the user did not explicitly approve, especially when a fix crosses from mechanical correction into editorial judgment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.