ClawHub
Back to skill

Security audit

powerpoint-generator

Security checks across malware telemetry and agentic risk

Overview

This PPT-generation skill is mostly coherent, but it should be reviewed because it can auto-run broad workflows, install packages, execute shell commands, and send slide-related data to external services.

Install only in an isolated project or container, review and approve all npm/pip/npx commands before running, avoid confidential topics when Unsplash or visual model audit is enabled, and do not pass untrusted strings to subagent_logger.py. This is not classified as malicious because the risky behavior is largely tied to the stated PPT workflow and there is no artifact-backed evidence of deception, destructive action, or intentional exfiltration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 安装 puppeteer-core
            print("Installing puppeteer-core...")
            import subprocess
            subprocess.run(
                ["npm", "install", "puppeteer-core"],
                capture_output=True, text=True, timeout=60
            )
Confidence
94% confidence
Finding
subprocess.run( ["npm", "install", "puppeteer-core"], capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
    if r.returncode != 0:
        print("Installing dom-to-svg...")
        subprocess.run(["npm", "install", "dom-to-svg"],
                       capture_output=True, text=True, timeout=60, cwd=str(work_dir))
        r = subprocess.run(
            ["node", "-e", "require('dom-to-svg')"],
Confidence
93% confidence
Finding
subprocess.run(["npm", "install", "dom-to-svg"], capture_output=True, text=True, timeout=60, cwd=str(work_dir))

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("Building dom-to-svg browser bundle...")
        entry_path = work_dir / ".bundle_entry.js"
        entry_path.write_text(BUNDLE_ENTRY)
        r = subprocess.run(
            ["npx", "-y", "esbuild", str(entry_path),
             "--bundle", "--format=iife",
             f"--outfile={bundle_path}", "--platform=browser"],
Confidence
91% confidence
Finding
r = subprocess.run( ["npx", "-y", "esbuild", str(entry_path), "--bundle", "--format=iife", f"--outfile={bundle_path}", "--platform=browser"],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        print(f"Converting {len(html_files)} HTML files (dom-to-svg, text editable)...")
        r = subprocess.run(
            ["node", str(script_path), json.dumps(config)],
            cwd=str(work_dir), timeout=300, env=env
        )
Confidence
86% confidence
Finding
r = subprocess.run( ["node", str(script_path), json.dumps(config)], cwd=str(work_dir), timeout=300, env=env )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if r.returncode != 0:
            # 安装 puppeteer-core
            print("  -> Installing puppeteer-core...")
            subprocess.run(
                ["npm", "install", "puppeteer-core"],
                capture_output=True, text=True, timeout=60, cwd=str(work_dir)
            )
Confidence
94% confidence
Finding
subprocess.run( ["npm", "install", "puppeteer-core"], capture_output=True, text=True, timeout=60, cwd=str(work_dir) )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
write_log(log_path, log_entry(session_id, stage, "command_start", {"command": command}))

    start_time = time.time()
    process = subprocess.Popen(
        command,
        shell=True,
        stdout=subprocess.PIPE,
Confidence
98% confidence
Finding
process = subprocess.Popen( command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=str(cwd) if cwd else None, )

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This utility's stated purpose is HTML-to-PNG conversion, but it also performs package installation over npm when dependencies are missing. That expands its capabilities beyond rendering into networked package acquisition and code installation, which is risky in an agent skill because skill execution may occur in sensitive or semi-trusted environments.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper dynamically installs npm packages during execution, which adds networked software acquisition and package-script execution to the skill. That is a real and relevant security issue because it expands the trust boundary and allows supply-chain compromise in a workflow that should be deterministic and offline once deployed.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Using npx/esbuild at runtime introduces external tool resolution and potentially package fetching/execution beyond the skill's core need. In the context of an agent skill, this broadens execution surface and makes compromise of local PATH, node_modules, or package resolution materially dangerous.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This module is presented as a logger but includes a generic command runner that can execute arbitrary shell commands and record their output. That capability is broader than its stated purpose and creates a powerful misuse path for executing attacker-controlled commands under the agent's privileges.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation and CLI framing describe the tool as a logger, which can mislead reviewers and downstream components into granting it broader trust than warranted. Hidden dual-use behavior increases the chance it will be invoked in contexts where untrusted data can reach command execution.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill directs the agent to automatically install Python and Node dependencies via pip/npm during execution. Auto-installing packages expands the runtime trust boundary to external registries and can execute package install scripts, creating unnecessary supply-chain and code-execution risk for a document-generation workflow.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow requires executing multiple local Python/Node scripts and shell commands over user-accessible directories, which materially increases the agent's capability beyond simple PPT generation. In a hostile or loosely controlled workspace, this can be abused to run arbitrary local code, interact with the filesystem broadly, and process untrusted content through complex toolchains.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README says the skill is triggered by simply describing presentation needs and that the agent will 'automatically execute the full workflow.' In an agent environment, this creates an overly broad activation surface where normal conversation can unintentionally invoke a multi-step skill that performs research, generation, and file output without clear confirmation.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The usage examples include ambiguous everyday phrases such as 'I need to present to my boss about Y' and 'Make training materials,' which could match ordinary chat rather than deliberate tool use. This increases the likelihood of accidental invocation, especially because the skill is designed to generate multi-page outputs and potentially call downstream processing steps.

Vague Triggers

High
Confidence
95% confidence
Finding
The README states that the agent is triggered directly from conversational descriptions of presentation needs, which makes activation criteria broad and likely to match routine user messages. In an agent skill context, overbroad triggering can cause unintended invocation, unnecessary tool use, and accidental processing of unrelated or sensitive user content.

Vague Triggers

High
Confidence
97% confidence
Finding
The example phrases include very generic requests such as asking for a PPT or a presentation about X, which are common in everyday conversation and can over-match user intent. Because this skill performs a multi-step generation workflow and may gather materials or produce files automatically, false activation raises the risk of unintended actions and data handling.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger scope is extremely broad, covering common phrases like making an introduction or presenting something to a boss, which can cause this high-capability skill to auto-activate in many benign conversations. Because the skill also has shell/file/network behavior, broad triggering increases the chance of unintended execution and privilege exposure in contexts where a simple text response would have been sufficient.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic installation of Node/Python packages and use of subprocesses without a clear up-front warning that system state will be changed. Silent or implicit installation is risky because it alters the host environment, may fetch untrusted dependencies from external registries, and can violate least-privilege expectations for a document-generation task.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script modifies the host environment by installing an npm package without obtaining explicit user approval or prominently warning that it will do so. In automated or shared environments, this can violate change-control expectations, unexpectedly alter system state, and pull unreviewed third-party code into execution context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The visual audit uploads full slide screenshots to an external model API when an API key is present, which can expose sensitive slide contents such as internal business data, PII, or confidential product plans. The risk is elevated because this is a presentation-generation/QA skill, a context where users are likely to process proprietary materials, and there is no explicit consent gate or redaction step at the transmission point.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger conditions are overly broad, including ordinary requests like 'help me make an introduction about X' or 'I need to present Y to my boss.' Overbroad activation can cause the skill to take over unrelated conversations and initiate file generation, research, or code-execution workflows in contexts where the user did not intend to invoke a PPT-building agent.

External Transmission

Medium
Category
Data Exfiltration
Content
**Unsplash API 调用方式**:
```javascript
// 按关键词搜索图片
GET https://api.unsplash.com/search/photos?query={关键词}&per_page=1

// 请求头
Authorization: Client-ID {UNSPLASH_ACCESS_KEY}
Confidence
91% confidence
Finding
https://api.unsplash.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal