powerpoint

The skill claims to generate and manage PowerPoint decks via YAML-driven configuration and python-pptx, with extensive orchestration through PowerShell and supporting tooling. While the core functionality—parsing YAML and producing PPTX content—is coherent with the stated purpose, the install/execution footprint relies on unverifiable binaries and non-official distribution channels (uv via astral.sh, Copilot CLI via npm, LibreOffice installs from OS package managers). There is an explicit outbound data flow to an external vision service for slide validation. Taken together, the footprint is coherent with a powerful developer tooling workflow but introduces notable supply-chain/security risks and external data exposure risks that are disproportionate to a typical local-deck generation task. The skill should be classified as SUSPICIOUS due to unverifiable binaries and third-party data flows, with securityRisk bumped toward HIGH given the combination of install-from-unknown-sources and external vision model interaction. If those installation sources can be replaced with verifiable, signed binaries from official registries and the external data flow can be clearly governed (with user consent and data handling notices), the risk posture would improve toward BENIGN.