googleslides-automation
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies (MEDIUM): The skill requires the user to add an external MCP server endpoint
https://rube.app/mcp. This domain is not included in the list of trusted providers (e.g., Anthropic, Google, Microsoft, Composio) and acts as a remote dependency that processes all tool calls and data. While the documentation claims no API keys are needed, routing sensitive presentation data through an unverified relay poses a supply-chain risk. - Indirect Prompt Injection (LOW): The skill possesses a significant attack surface for indirect prompt injection.
- Ingestion points: The
markdown_textparameter inGOOGLESLIDES_CREATE_SLIDES_MARKDOWNandGOOGLESLIDES_PRESENTATIONS_BATCH_UPDATEtools accepts arbitrary text that the agent is instructed to process. - Boundary markers: The skill does not define delimiters or provide 'ignore embedded instructions' warnings for the data being ingested.
- Capability inventory: The skill has broad capabilities to create, modify, retrieve, and share Google Slides presentations and Google Drive files.
- Sanitization: There is no evidence of sanitization or validation of the input Markdown before it is passed to the underlying Google Slides API tools.
- Risk: An attacker could embed malicious instructions in a Markdown source (e.g., a document the user asks the agent to summarize into a presentation) that could cause the agent to exfiltrate slide content or share presentations with unauthorized users.
Audit Metadata