scientific-slides

[Skill Scanner] Natural language instruction to download and install from URL detected Functionally the skill matches its stated purpose (creating scientific slides with AI-generated visuals). There is no clear malicious code or obfuscation. However, the skill instructs users/agents to routinely attach and upload local files (figures, previous slides) to an external AI service (Nano Banana Pro/OpenRouter) using an API key — this creates a credible data-exfiltration/privacy risk, especially for proprietary or sensitive figures. The presence of 'Bash' in allowed-tools increases the potential for wide filesystem access and inadvertent uploads. I rate this as a medium/high security risk for sensitive environments (not confirmed malware). Recommend adding explicit warnings about uploading sensitive data, clarifying data retention and privacy for the external service, restricting or warning about allowed-tools scope, and providing an on-premise or privacy-preserving alternative if needed. LLM verification: The skill's described capabilities are generally aligned with its purpose (AI-assisted slide generation for scientific talks) and its dependency footprint (external AI service, prompt-driven image generation) is coherent with the workflow. However, there is a notable data-flow and credential-handling pattern: the embedded guidance to obtain and supply an external API key (OPENROUTER_API_KEY) from a remote URL introduces potential credential disclosure risk and reliance on third-party services fo