Trust Assessment
ppt-generator-pro received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 28 findings: 8 critical, 9 high, 11 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Unsafe environment variable passthrough, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings28
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/run.sh:27 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/run.sh:28 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/video_composer.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/video_composer.py:101 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/SKILL.md:241 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/SKILL.md:417 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/generate_ppt.py:44 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/transition_prompt_generator.py:91 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/transition_prompt_generator.py:91 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/video_materials.py:5 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_video' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/kling_api.py:334 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_verify_ffmpeg'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/video_composer.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_ffmpeg'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/video_composer.py:101 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/SKILL.md:241 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/SKILL.md:417 | |
| HIGH | Command Injection via .env file processing in run.sh The `run.sh` script uses `export $(cat "$SCRIPT_DIR/.env" | grep -v '^#' | xargs)` to load environment variables. This construct is vulnerable to command injection if the `$SCRIPT_DIR/.env` file contains malicious shell commands. An attacker could potentially trick a user into placing malicious content in their `.env` file, or replace the `.env` file, leading to arbitrary command execution when `run.sh` is executed. Use a safer method to load environment variables. For shell scripts, explicitly sourcing the `.env` file (`source "$SCRIPT_DIR/.env"`) is generally safer if the file is expected to contain only `KEY=VALUE` pairs, but still carries risk if the file contains arbitrary commands. A more robust solution would be to parse the `.env` file in Python and set `os.environ` variables, avoiding direct shell execution of file content. | LLM | run.sh:17 | |
| HIGH | Local File Inclusion and Data Exfiltration via untrusted file path arguments Multiple Python scripts (`generate_ppt.py`, `generate_ppt_video.py`, `kling_api.py`, `prompt_file_reader.py`, `transition_prompt_generator.py`, `video_composer.py`) accept file paths as command-line arguments (e.g., `--plan`, `--style`, `--slides-dir`, `--prompts-file`) or function parameters (e.g., `image_path`, `template_path`). If the host LLM can be prompted to pass arbitrary file paths to these arguments, the skill could be coerced into reading, processing, or base64-encoding sensitive files from the system, leading to data exfiltration. The `SKILL.md` explicitly mentions the skill's ability to "使用 Read 工具读取文件内容" (Use Read tool to read file content) for user-provided documents, indicating file reading capabilities that could be abused to access arbitrary system files. Implement strict validation and sanitization for all file paths provided by user input or derived from untrusted sources. Restrict file access to a designated sandbox directory or use allow-lists for file extensions and locations. Avoid passing raw user input directly as file paths. | LLM | generate_ppt.py:140 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/generate_ppt.py:325 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/generate_ppt_video.py:343 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/kling_api.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/truongvknnlthao-gif/ppt-generator-pro/simple_transition_prompt_generator.py:5 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/kling_api.py:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/install_as_skill.sh:60 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/run.sh:27 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/truongvknnlthao-gif/ppt-generator-pro/run.sh:28 | |
| MEDIUM | Unintended .env file loading due to upward directory traversal The `find_and_load_env()` function in `generate_ppt.py` and the `run.sh` script attempt to load `.env` files by traversing parent directories up to the project root or home directory. While `install_as_skill.sh` places the skill in a specific location (`~/.claude/skills/ppt-generator`), this upward traversal could inadvertently load an `.env` file from an unexpected parent directory if the skill is deployed in a different context or if a user has a sensitive `.env` file higher up in their directory structure, potentially exposing credentials not intended for this skill. Explicitly define the allowed `.env` file locations. For skills, it's often best to only load from the skill's own directory or a well-defined, isolated configuration directory. Avoid broad upward directory traversal for sensitive configuration files. | LLM | generate_ppt.py:37 | |
| MEDIUM | Potential Prompt Injection via visual content analysis by Claude The skill uses Claude to analyze generated PPT images (derived from user input) to create transition prompts for video generation. If a user provides content that, when rendered into an image, contains visual patterns or text that Claude interprets as instructions, it could lead to prompt injection against the Claude model. While `transition_prompt_generator.py` includes system-level instructions to mitigate text manipulation, the multimodal nature of the interaction presents a credible, albeit complex, vector for prompt injection. Implement robust input sanitization for user-provided PPT content to prevent embedding of malicious instructions. Consider adding more explicit negative constraints or guardrails in the system prompt to Claude, specifically addressing visual prompt injection attempts or unexpected instructions within image content. | LLM | transition_prompt_generator.py:160 |
Scan History
Embed Code
[](https://skillshield.io/report/4322a4731bca810d)
Powered by SkillShield