Back to skill

Security audit

Slide Editor

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent slide editor, but it needs Review because its recommended workflow executes shell commands and exposes broad editing controls with weak boundaries.

Install only if you are comfortable with a local tool that rewrites HTML files and exposes a browser-global editing API. Prefer using a copy of the presentation, avoid the curl | bash or irm | iex installer paths unless you have independently verified them, and avoid --open on files with untrusted or unusual names until the shell execution is hardened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The message listener enables or disables the editor solely based on event.data.type and does not validate event.origin, event.source, or any capability token. Any embedding page, iframe parent, or other window that can postMessage to this page can toggle editing mode, expanding the attack surface and allowing unauthorized UI manipulation of the document.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Publishing the full editor instance as window.__openclawEditor exposes powerful document-editing primitives to any script running in the same page context, including third-party analytics, compromised dependencies, or injected scripts. This turns ordinary XSS or untrusted script execution into full document tampering and data export capability with no additional checks.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill explicitly instructs users to inject an editor bundle into an existing HTML file and later export a new file, but it does not clearly warn that the original input HTML is being modified in place and that additional output files will be created/downloaded. For an agent-controlled skill, this omission can lead to unintended file tampering, overwritten artifacts, or silent persistence of injected code in user documents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file auto-enables a full editing UI on load without requiring a user action, and the editor exposes destructive capabilities such as delete, move, resize, crop, and export/save shortcuts. In an agent-controlled skill, this increases the chance of unintended modification of the presentation state or accidental destructive actions, especially when merely opening the file should be a read-only operation.

External Script Fetching

High
Category
Supply Chain
Content
```bash
# macOS/Linux
curl -fsSL https://bun.sh/install | bash

# Windows (PowerShell)
powershell -c "irm bun.sh/install.ps1 | iex"
Confidence
98% confidence
Finding
curl -fsSL https://bun.sh/install | bash

External Script Fetching

High
Category
Supply Chain
Content
```bash
# macOS/Linux
curl -fsSL https://bun.sh/install | bash

# Windows (PowerShell)
powershell -c "irm bun.sh/install.ps1 | iex"
Confidence
98% confidence
Finding
curl -fsSL https://bun.sh/install | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# macOS/Linux
curl -fsSL https://bun.sh/install | bash

# Windows (PowerShell)
powershell -c "irm bun.sh/install.ps1 | iex"
Confidence
97% confidence
Finding
| bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# macOS/Linux
curl -fsSL https://bun.sh/install | bash

# Windows (PowerShell)
powershell -c "irm bun.sh/install.ps1 | iex"
Confidence
97% confidence
Finding
| bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
inject.ts:179