ClawHub

HTML Slides for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This slide-making skill appears useful, but it includes public Vercel deployment and automated local actions that are not scoped or consent-gated clearly enough.

Install only if you are comfortable with a slide tool that can create local files, run export/preview tooling, and publish decks to Vercel. Treat deployment as sensitive: review the deck for private information first, avoid production/public deployment unless you explicitly requested it, and prefer local HTML/PDF export when sharing confidential material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to create and save HTML slide files in a workspace path, which is a file-write capability, but no corresponding permission is declared. Hidden or undeclared write access weakens user consent and platform enforcement because the agent can persist artifacts without an explicit capability boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest frames the skill as local HTML slide creation, but the instructions also cover PPT extraction, PDF export, package/tool invocation, and public deployment to Vercel. This mismatch is dangerous because users may invoke a seemingly harmless presentation skill without realizing it can publish content externally or trigger additional tooling and data handling flows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation broadens the skill from slide generation into sharing and public deployment, but that expansion is not reflected in the declared description. Undisclosed capability creep increases the chance of users exposing sensitive presentation content or invoking riskier actions than they intended.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs deployment to Vercel, which is a network publication action unrelated to the minimum need of generating slides locally. In context, presentations often contain internal business, personal, or confidential material, so publishing them can directly cause data exposure beyond the user's expectations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script extends a slide-generation skill into public hosting by deploying content to Vercel and advertising a permanent shareable URL. This is dangerous because users may expect local artifact generation, but the script performs external publication of potentially sensitive presentation content, increasing data exposure risk beyond the core skill scope.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script installs or invokes third-party deployment tooling and then uses it for network-backed publishing, which materially changes the trust boundary of the skill. This is risky because it can fetch and run external code and send user content to a third party, neither of which is necessary for basic HTML slide generation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script automatically launches the generated PDF with `open` or `xdg-open`, causing an unsolicited local application execution as a side effect of export. Even though the target is a locally generated file, auto-opening is not required for the core skill behavior and can trigger risky follow-on behavior in a desktop PDF handler, surprise the user, or violate least-astonishment and sandbox expectations in automated environments.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation phrases are very broad generic requests such as making a PPT, slides, or a self-introduction webpage, which are likely to overlap with ordinary user intents unrelated to this specific skill. In an agent ecosystem, this can cause the skill to activate unexpectedly and take over workflows, increasing the chance of unintended file generation, browser launching, or follow-on deployment actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README says the workflow will automatically open a browser preview and optionally deploy to Vercel or export PDF, but it does not clearly warn users about external publishing, local command execution, or other system-impacting actions. In a skill context, ambiguous automation around opening applications or publishing content can lead to unintentional data exposure or execution of actions the user did not knowingly approve.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill offers creation of a public Vercel link without any explicit privacy or exposure warning. Given the context of slide decks, this is dangerous because users may unknowingly publish proprietary, personal, or regulated information to a public endpoint.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs a production deployment to a public URL with '--yes' and '--prod', suppressing confirmation for a high-impact external action. This is dangerous because a mistaken invocation can immediately publish sensitive or internal slide content without a final review or acknowledgment from the user.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
echo ""

# Deploy with sensible defaults:
#   --yes: skip confirmation prompts
#   --prod: deploy to production URL (not preview)
#   --name: use the folder name as the project name
DECK_NAME=$(basename "$DEPLOY_DIR")
Confidence
90% confidence
Finding
skip confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal