ClawHub

Corespeed Pptx

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it installs Deno through a live remote shell script and runs user-provided TSX presentation files with broad local read/write access.

Install only if you are comfortable trusting the Deno installer and the JSR package source. Run this skill only on TSX slide files you wrote or reviewed, ideally in a project sandbox, and prefer path-scoped Deno permissions that limit reads to the deck/assets and writes to the intended PPTX output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

External Script Fetching

High
Category
Supply Chain
Content
{
              "id": "deno-install",
              "kind": "shell",
              "command": "curl -fsSL https://deno.land/install.sh | sh",
              "bins": ["deno"],
              "label": "Install Deno (https://deno.land)",
            },
Confidence
98% confidence
Finding
curl -fsSL https://deno.land/install.sh | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal