The Agent Skills Directory

[Metadata Poisoning] (MEDIUM): The skill contains contradictory capability descriptions. README.md characterizes it as 'Read-only access,' whereas SKILL.md details 'Full read/write access' and includes destructive commands like delete-slide and batch-update. This discrepancy is deceptive and obscures the skill's actual risk profile.
[External Dependency] (MEDIUM): Documentation states the skill 'Automatically refreshes expired tokens using Google's cloud function.' The lack of a specific URL or source code for this function creates an unverified dependency for credential management, potentially exposing OAuth tokens stored in the system keyring.
[Indirect Prompt Injection] (LOW): The skill reads untrusted text from slides via get-text. Because the skill has write and delete permissions, it is susceptible to indirect prompt injection where malicious presentation content could trigger unintended slide modifications.
Ingestion points: scripts/slides.py get-text in SKILL.md.
Boundary markers: None identified in the provided documentation.
Capability inventory: create, add-slide, replace-text, delete-slide, batch-update in scripts/slides.py.
Sanitization: No evidence of sanitization or escaping of slide content.
[No Code Provided] (SAFE): The actual implementation files (scripts/auth.py, scripts/slides.py) were not included in the analysis package, restricting the audit to documentation-based findings.

google-slides