ClawHub

Skill Ppt Builder

Security checks across malware telemetry and agentic risk

Overview

This is a coherent presentation-building skill, but users should know slide prompts are sent to external image-generation providers.

Install this if you are comfortable using Ofox or OpenRouter for image generation. Do not include confidential strategy, customer data, regulated information, or unreleased product details in slide prompts unless your organization allows that provider use; prefer a dedicated API key and review generated files before sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send slide content and visual references to external API gateways, but it does not clearly warn that proprietary deck material, customer data, or internal visuals may leave the local environment. In a presentation-building context, inputs often contain confidential business strategy, pricing, customer names, and roadmap information, making silent third-party disclosure particularly risky.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The template hard-codes Chinese-language instructions, including a requirement that all Chinese text be clearly readable, without indicating that this should depend on user preference. This can override or conflict with user intent, cause incorrect-language outputs, and create prompt-injection-like control issues within multi-step agent pipelines where downstream components expect locale to be user-driven.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal