一键生成PPT截图和缩略图工具，MAC版本

Security checks across malware telemetry and agentic risk

Overview

The tool appears to convert PowerPoint files into images, but it also asks for WeChat credentials that the code does not use or protect.

Install only if you are comfortable reviewing and editing the configuration yourself. Do not provide real WeChat app secrets to this skill unless the publisher clarifies the need and adds secure handling guidance; keep real secrets out of shared config files, screenshots, logs, and version control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill asks users to provide WeChat app credentials directly in configuration without any guidance on secure handling, storage, masking, or use of a secret manager. Even though the file does not explicitly exfiltrate them, requesting secrets in plain configuration increases the risk of accidental leakage through logs, version control, screenshots, or shared skill bundles.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal