ClawHub

web-slide

Security checks across malware telemetry and agentic risk

Overview

This is a coherent HTML slide-generation skill with expected file, browser preview, local theme picker, and optional CDN behavior, with a few usability and privacy cautions.

Install if you are comfortable with the agent reading the materials you provide, writing local HTML slide files, opening a browser preview, running a temporary localhost theme picker, and optionally using external CDN libraries for advanced charts or animation. For confidential presentations, avoid sensitive source material where possible, ask for no CDN dependencies, and review the generated HTML before sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README states the skill will automatically trigger for general Slide/PPT/presentation-related requests, but it does not define clear activation boundaries. In an agent environment, broad auto-triggering can cause the skill to engage on loosely related prompts, increasing the chance of unintended document processing, unnecessary external fetches, or surprising behavior for users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages users to provide documents, webpage links, screenshots, and PDFs as source material, but it does not clearly disclose that these inputs may be parsed and that external resources may be retrieved during generation. This creates a transparency and privacy risk: users may unintentionally expose sensitive data or trigger network access without understanding the consequences.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is very broad and can trigger on generic presentation-related requests, which increases the chance the skill activates in contexts where the user did not intend full file generation, web fetching, or browser preview behavior. Because this skill also has write and fetch capabilities, over-broad routing can cause unintended access to workspace files, unnecessary network activity, or automatic generation flows in response to ambiguous prompts.

Natural-Language Policy Violations

High
Confidence
91% confidence
Finding
Forcing Chinese-language behavior without user opt-in can cause the skill to ignore user language preference and produce outputs the user cannot review effectively. In a skill that generates deliverables and may summarize source material, language coercion raises the risk of misunderstandings, missed inaccuracies, and reduced user oversight over generated content or fetched material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The page writes to the user's clipboard automatically as a fallback after a failed network request, without explicitly warning the user that clipboard contents will be overwritten. While the action is still gated by a user click on the confirm button, silently replacing clipboard data can surprise users and may disrupt workflows or cause accidental pasting of unintended content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal