ClawHub

Skywork PPT

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Skywork PowerPoint helper that sends selected files and prompts to Skywork, so it is usable but not for sensitive content unless you trust that service.

Use this only with files and prompts you are comfortable sending to Skywork. Prefer a dedicated API key, avoid printing or sharing the key, run Python dependencies in a virtual environment, and specify an output path or keep backups before local delete/reorder operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exercises sensitive capabilities including environment access, local file read/write, and network operations, but does not declare permissions explicitly. This weakens reviewability and user consent because a seemingly simple PPT tool can access API keys, local documents, and remote services without a clear capability boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The description presents a PowerPoint workflow skill, but the body instructs the agent to upload local files, parse arbitrary user files remotely, perform web searches, and send verbatim user queries to external Skywork services. That mismatch is dangerous because users may not understand that sensitive local content and prompts are being transmitted off-device and potentially exposed via public or remote URLs.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script advertises and implements generic reference-file parsing with OCR/text extraction, which is broader than the manifest's stated PowerPoint-focused operations. Scope expansion matters because it enables processing of arbitrary local documents and sending them to backend services, increasing the chance of unintended data handling beyond what users expect from a PPT skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code provides a generic remote document parsing pipeline by uploading any supplied file to a server-side parsing endpoint and returning extracted metadata/content. In a PPT-focused skill, that broader capability can be abused to exfiltrate or process unrelated local documents under misleading skill expectations, especially because the endpoint supports OCR and text extraction rather than narrowly scoped slide editing.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This helper uploads arbitrary local files to a remote OSS endpoint using a bearer API key, with no restriction that the files be PPT-related or user-approved beyond CLI input. In a PPT-focused skill, a generic exfiltration utility expands capability beyond the declared scope and could be abused by other code paths or operators to transfer sensitive local data off-host.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script retrieves an API credential and uses it to send local files to a remote gateway, which creates a capability to move local data outside the environment. Because the skill description is centered on PowerPoint generation/editing rather than general file transport, this credentialed upload path increases risk if invoked on unintended files or in a broader agent context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements generic web-search capability and stores results locally, which does not align with the skill’s declared PowerPoint-focused purpose. In an agent skill, capability drift is security-relevant because it expands the attack surface, enables unexpected data egress, and may let the skill access external content outside user expectations or policy scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code sends queries to a remote gateway using an API key, introducing outbound network access unrelated to the stated PPT file operations. In this context, hidden or undeclared authenticated external access is dangerous because it can exfiltrate user prompts or file-derived content and bypass the principle of least privilege for a presentation-editing skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to upload a user-provided local PPTX/PDF to OSS before conversion, which introduces remote data transfer of local files. Even if required by the backend architecture, this expands the skill from local file manipulation into external exfiltration of document contents, and the skill does not present this as a security-sensitive action or require explicit informed consent at the moment of transfer.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The workflow directs the agent to perform external web searches and synthesize third-party content before generating a PPT, but this behavior is not clearly disclosed in the skill metadata, which presents the skill as primarily PowerPoint-focused. That mismatch can cause unintended data disclosure of user topics or confidential project context to external search services and expands the skill's effective capability beyond what users would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to upload user-provided local files to a document parsing service and return metadata such as file URLs and file IDs, but the metadata only describes local PPT/file operations and conversion scenarios. This creates a capability/expectation gap that can expose sensitive documents to remote infrastructure without clear disclosure or informed consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill tells the agent to parse arbitrary local reference files by uploading them to an external service, yet this is not obviously necessary for all PPT-generation use cases and is broadly scoped to many file types. In a presentation skill, such remote transfer of local documents increases the risk of leaking confidential business, legal, financial, or personal information beyond the user's expectations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to upload the user's local template PPTX to OSS/CDN, which is an external data transfer of a user file. Even if operationally required by the backend, sending local documents to third-party storage without explicit consent creates a confidentiality and data-handling risk, especially because templates may contain proprietary branding, notes, or embedded metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells users to set, persist, and even echo an API key, but it does not warn that secrets stored in shell rc files, plaintext JSON config files, or printed to the terminal can be exposed through shell history, screen sharing, logs, backups, or overly permissive file permissions. In a skill that directly depends on a paid/authenticated API, this increases the chance of credential leakage and subsequent unauthorized use of the Skywork account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper defaults to writing destructive operations back to the original PPTX when no output path is supplied. In this skill, delete and reorder are explicitly file-mutating commands, so silent in-place overwrite can cause irreversible data loss or accidental corruption if the user or calling agent omits -o or miscommunicates intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads a local file and uploads its full contents to a remote API without any explicit privacy warning, consent prompt, or minimization step. That is dangerous because users may assume local PPT manipulation while the tool actually transmits potentially sensitive document contents off-host, creating confidentiality and compliance risks if secrets, personal data, or proprietary material are included.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends a user-supplied file URL plus an authenticated bearer-token request to an external conversion endpoint, but the code provides no explicit consent prompt, trust boundary notice, or validation of where the referenced file is hosted. In a presentation-editing skill, users may assume local/offline processing, so this can unintentionally disclose sensitive presentation contents or internal document URLs to a remote service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
User-supplied queries are transmitted to a remote API without any visible privacy notice, consent step, or indication of what data leaves the local environment. In a skill expected to work on local PPT assets, this mismatch increases the chance that sensitive project names, slide text, or proprietary topics are unknowingly disclosed to an external service.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Search results are written into a temporary directory using filenames derived from the raw query string, without any user warning or retention controls. This can leave sensitive search topics and returned content on disk unexpectedly, increasing exposure to local users, support tooling, backups, or later processes that inspect temp directories.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow uploads local files to OSS without any user-facing warning that document contents will leave the local machine. For presentation and PDF files, this may expose confidential business data, personal information, or proprietary content to external infrastructure without informed consent, making the behavior risky in a file-handling skill that otherwise appears local-facing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow instructs the agent to upload a user-provided local PPTX to a publicly accessible OSS/CDN URL in order to continue processing, but it does not require explicit user consent or warn that document contents will be transmitted off-host. Because PPTX files often contain sensitive business data, this can cause unintended disclosure to third-party storage or make private material publicly reachable.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file parsing step explicitly says the service uploads local files, extracts content, and returns a file URL and file ID, but there is no requirement to warn the user before this happens. Sending local files and generating externally accessible metadata without a user-facing warning undermines informed consent and can expose sensitive source material or persistent links to remote systems.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The workflow requires web searching when conversation context is insufficient, but it does not instruct the agent to warn users that their topic or related details may be sent to external search providers. While lower impact than file upload, it still creates an avoidable privacy issue, especially for confidential business topics or internal project names.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow performs external upload of a local PPTX without instructing the agent to warn the user or obtain approval. This is dangerous because users may reasonably believe they are only referencing a local file, while the skill silently transmits it off-device, potentially exposing confidential business material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow sends user-supplied files to a document parse service and may send topic/query content to external search or generation components, yet it does not require explicit user notice about those transfers. This creates a transparency and privacy issue because uploaded documents and prompt content can contain sensitive or proprietary information that leaves the local environment without informed consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal