ClawHub

Emergence PPT Orchestra

Security checks across malware telemetry and agentic risk

Overview

This presentation skill is mostly purpose-aligned, but it can send sensitive diagram or data content to a third-party rendering service without clear consent and minimization safeguards.

Review before installing if you may use it for confidential presentations. Only provide an Emergence API key if you trust that service, avoid sending sensitive diagrams or CSV-derived data unless approved, and prefer a pinned or local Marp renderer for sensitive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that complex data structures are sent to an external rendering API, but it does not clearly warn users that slide content, diagrams, or embedded business logic may leave the local environment and be processed by a third party. In a presentation-generation skill, users may include confidential architecture, research, or internal strategy content, so undisclosed external transmission creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to send rendering inputs to an external API, including diagram code that may embed sensitive presentation content, without a clear, explicit user-facing consent step at the point of transfer. Although the document claims slide text remains local, the actual workflow can transmit user-provided concepts, CSV-derived content, or proprietary visual specifications to a third party, creating a confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly states that presentation content will be sent to an external rendering API and requires an API key, but it does not provide a clear user-facing warning about off-system transmission of potentially sensitive slide content. In a presentation-generation skill, users may include confidential business, research, or customer data, so silent transmission to a third-party service creates a real privacy and data-handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
- **Engines Available**: `tikz`, `mermaid`, `graphviz`, `d2`.
- **Payload Example**:
  ```bash
  curl -s -X POST https://api.emergence.science/tools/render \
    -H "Authorization: Bearer $EMERGENCE_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
Confidence
96% confidence
Finding
curl -s -X POST https://api.emergence.science/tools/render \ -H "Authorization: Bearer $EMERGENCE_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Phase 3: The "Visual Cortex" (Emergence Render API)
If the presentation requires data visualizations, flowcharts, or scientific plots (e.g., from CSVs or concepts), do **not** use ASCII art.
- **Action**: Invoke the `https://api.emergence.science/tools/render` API via `POST`.
- **Engines Available**: `tikz`, `mermaid`, `graphviz`, `d2`.
- **Payload Example**:
  ```bash
Confidence
91% confidence
Finding
https://api.emergence.science/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Engines Available**: `tikz`, `mermaid`, `graphviz`, `d2`.
- **Payload Example**:
  ```bash
  curl -s -X POST https://api.emergence.science/tools/render \
    -H "Authorization: Bearer $EMERGENCE_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
Confidence
96% confidence
Finding
https://api.emergence.science/

External Transmission

Medium
Category
Data Exfiltration
Content
},
  "api": {
    "type": "openapi",
    "url": "https://api.emergence.science/tools/render/openapi.json"
  },
  "discovery": {
    "content_index": "https://emergence.science/content/index.json"
Confidence
91% confidence
Finding
https://api.emergence.science/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal