ClawHub

pptx

Security checks across malware telemetry and agentic risk

Overview

This PowerPoint skill is mostly coherent, but it needs Review because it includes broader Office-file handling, an unused browser automation dependency, and an under-disclosed LibreOffice shim that compiles and preloads code from a shared temp path.

Install only if you are comfortable with a PowerPoint skill that can run local conversion tools, mutate Office package contents, and includes some broader Office/document code. Prefer using it in a single-user or sandboxed environment. Before broad deployment, the publisher should remove or justify Playwright, restrict helper scripts to PPTX unless broader Office support is intentionally advertised, narrow the trigger wording, and replace the fixed /tmp LD_PRELOAD shim with a private, safely created temporary directory or a vetted packaged component.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
93% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The dependency set includes Playwright, a full browser automation framework, even though the declared skill purpose is limited to creating, reading, and modifying .pptx files. Browser automation materially expands the attack surface by enabling web access, scripted navigation, downloads, and interaction with remote content, which is unnecessary for ordinary PowerPoint processing and could be abused for data exfiltration or unintended network activity.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file explicitly supports packing DOCX and XLSX files in addition to PPTX, which exceeds the declared skill scope of handling only PowerPoint presentations. In an agent setting, this scope mismatch can cause unintended invocation on non-PPTX content and broaden the attack surface by enabling document types and validation paths the user and policy may not expect.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The output extension check allows creation of .docx and .xlsx files, not just .pptx files promised by the skill metadata. This can let an agent write or transform office documents outside its advertised capability, increasing the chance of misuse, policy bypass, or surprising file creation in workflows that should be limited to presentations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The validation branch includes DOCX-specific logic such as redlining validation and author inference, which is unrelated to PPTX handling. In a scoped agent environment, extra code paths for unsupported formats create unnecessary complexity and may trigger unexpected processing of document metadata or edits beyond the presentation domain.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is part of a skill declared for `.pptx` handling, but the implementation is explicitly a Word `.docx` tracked-changes validator. This kind of skill/implementation mismatch is dangerous because downstream systems may route PowerPoint-related tasks into code that cannot safely or correctly process them, causing validation bypass, incorrect security assumptions, or silent failure of expected protections.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code unpacks `original_docx` and reads `word/document.xml`, confirming it is designed for WordprocessingML rather than PowerPoint PresentationML. In the context of a skill that should trigger whenever a `.pptx` is involved, that mismatch makes the skill materially more dangerous because security checks may be skipped or misapplied to the wrong document format.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger text is extremely broad, telling the system to invoke this skill whenever users mention terms like 'deck,' 'slides,' or 'presentation,' regardless of what they intend to do. Overbroad triggering can unnecessarily grant the skill access to files, shell tooling, and transformation workflows in benign conversational contexts, increasing the chance of accidental execution, unintended file handling, or exposure of sensitive presentation data. Because this skill includes command execution and file operations, false-positive activation is more dangerous than for a purely informational skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Writing both C source and a preloadable `.so` to a global temp directory with fixed names creates a classic insecure temporary-file condition. In multi-user or hostile local environments, this can enable symlink attacks, file clobbering, or malicious library substitution that results in arbitrary code execution when `LD_PRELOAD` is set.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal