scientific-slides

[Skill Scanner] Natural language instruction to download and install from URL detected The skill is functionally aligned with its stated purpose (AI-assisted slide generation). There is no evidence of obfuscated or intentionally malicious code in the provided documentation. However, the workflow requires and encourages uploading local images and previous slide outputs to a third-party image-generation service (OpenRouter / Nano Banana Pro) authenticated via OPENROUTER_API_KEY. That creates a realistic privacy and data-exfiltration risk for unpublished or confidential figures. Recommend: (1) treat attachments as sensitive, (2) add explicit warnings about uploading unpublished data and explain third-party data retention/policy, (3) allow a local-only mode or on-premise model option if confidentiality is required. Verdict: SUSPICIOUS from a data-exfiltration/privacy perspective but not demonstrably malicious. LLM verification: The skill description is broadly aligned with its goal of generating scientifically designed slide decks using external tooling and clear prompt guidance. The main concern is a credential/key retrieval pattern flagged by static analysis; if such behavior exists in the actual implementation, it represents a credential exposure risk and supply-chain concern. In the absence of hardcoded secrets, the risk is elevated mainly due to external service interactions. Recommend removing any external creden