Back to skill

Security audit

GLM-V-PDF-to-PPT

Security checks across malware telemetry and agentic risk

Overview

This PDF-to-slides skill is mostly coherent, but it uses under-scoped URL downloading and has a crop helper that can write outside the intended crops folder.

Review before installing. Prefer local PDFs or trusted HTTPS URLs only, avoid sensitive documents unless local rendered copies and subagent viewing are acceptable, and fix the crop filename sanitization plus add URL confirmation, host blocking, size/type limits, and timeouts before broad use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to create directories, write multiple output files, and execute shell commands, yet no permissions are declared. This creates a governance gap: reviewers and runtime policy may underestimate the skill's capabilities, allowing file writes and command execution without explicit scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest presents a narrow PDF-to-presentation transformation, but the instructions materially expand behavior to arbitrary page cropping, HTML handling, URL downloading, and shell-driven file generation. Description-behavior mismatch is dangerous because users, auditors, and policy systems may grant trust based on the stated purpose while the skill can perform broader operations than expected.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Accepting arbitrary HTTP/HTTPS URLs and fetching them with curl expands the skill from local document conversion into network retrieval of untrusted content. This can be abused for SSRF-like access to internal endpoints, unexpected outbound requests, or retrieval of malicious/oversized files under the guise of PDF conversion.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill introduces network download behavior without clearly justifying it in the core purpose or surfacing the privacy/security implications. Users may unknowingly cause outbound requests that disclose access patterns, hit attacker-controlled servers, or pull malicious files into subsequent processing steps.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad enough that the skill could activate on generic requests like '做PPT' or 'make slides,' even when the user did not intend this specific PDF-processing workflow. Over-broad invocation increases the chance of unintended file operations, shell execution, or network access on ambiguous prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell the agent to download user-supplied URLs with curl but do not warn that this makes outbound network requests. Hidden network activity is risky because it can surprise users, leak metadata to remote hosts, and expose the environment to malicious or oversized content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.