ClawHub

SVG PPT Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent PowerPoint generator with expected local file creation and optional external image tooling, with no evidence of hidden exfiltration, destructive behavior, or deceptive execution.

Install only if you are comfortable with a PPT tool that writes local temporary/project files and may run local converters. Use external AI image generation only with explicit provider choice and non-sensitive prompts, and avoid running the SVG/image-processing helpers on untrusted files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.join(output_dir, "_render.js")
    with open(script_path, "w") as f:
        f.write(script)
    subprocess.run(["node", script_path], capture_output=True, timeout=30)
    return sorted(glob.glob(os.path.join(output_dir, "slide_*.png")))
Confidence
86% confidence
Finding
subprocess.run(["node", script_path], capture_output=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises a simple PPT generator but its documented behavior implies broad code-capable operations including file read/write, shell execution, network access, and environment access without any declared permissions or user-facing constraints. This creates a large, hidden attack surface where the agent could access local data, invoke external tools, or exfiltrate information under the guise of slide generation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is narrow, but the actual behavior reportedly spans external AI providers, web fetching, document conversion, project import tooling, and rendering/review pipelines. This mismatch is dangerous because users and policy layers may grant trust appropriate for a slide generator while the skill performs much broader, potentially data-exporting operations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to read provider API credentials from environment variables and project-root .env files to access external image-generation services. Accessing secrets and then transmitting prompts or project content to third-party APIs creates a real risk of unintended secret handling and data exfiltration, especially because the file does not require explicit user consent or tight scoping before external calls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script trusts SVG <image> href values, resolves them to absolute paths, and opens whatever local file they reference. If an attacker can supply or influence the SVG input, this enables unintended local file access outside the project tree and can expose sensitive files or trigger processing of attacker-chosen local resources.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill performs host font enumeration via `fc-list`, which is an environment-discovery capability not strictly required to generate PPTs. In an agent or sandboxed skill context, collecting host configuration details can leak fingerprinting information and violates least-privilege expectations, especially if results influence downstream behavior or are exposed indirectly.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are overly broad and can activate on generic terms like 'presentation,' which increases the chance the skill runs in contexts where the user did not intend PPT generation or file/tool execution. Overbroad activation is risky when the skill can read templates, write files, and invoke conversion tooling because it may process sensitive content unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs writing SVGs and outputs into /tmp without telling the user that local files will be created. Undisclosed local persistence can expose sensitive presentation content to other processes, later sessions, or operators depending on the execution environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The conversion flow produces /tmp/output.pptx but does not specify retention, deletion, or handling of intermediate artifacts. This is dangerous because generated decks often contain confidential business material, and unclear persistence behavior increases the risk of unintended retention or disclosure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is broad enough that the image generator may activate whenever image generation is 'needed,' including within a pipeline, without a precise authorization boundary. Ambiguous activation increases the chance of unintended file writes or external API usage occurring automatically, which is risky in an agentic system handling user projects and local credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to save files and generate images via AI tools, but it does not prominently warn the user that local files will be created or that project data may be sent to external services. In practice, this can lead to silent filesystem modification and unanticipated third-party data disclosure, which are meaningful security and privacy issues in an automated skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to configure provider-specific API keys and use external image generation backends, but it does not clearly warn that prompts and possibly image inputs may be transmitted to third-party services. In a workflow tool, this omission can cause users to unknowingly send confidential business content, design concepts, or sensitive images outside their environment, creating privacy, compliance, and data handling risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal