ClawHub

Apple Style PPT Maker

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent slide-generation tool, with the main consideration being that approved deck content is sent to Gemini and saved in local output files.

Install if you are comfortable using Gemini for image generation. Review the full slides_plan.json before rendering, avoid putting secrets or regulated content in the deck, use a dedicated API key, keep any .env file out of shared folders or version control, and remember that prompts and slide metadata are saved in the output directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to execute local commands, read environment variables for API keys, and read/write files, but it does not declare corresponding permissions. This creates a trust and containment problem: a host may allow the skill to operate with broader capabilities than the user expects, increasing the chance of unintended file access, overwrites, or secret exposure during execution.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill requires Gemini API keys via environment variables and mentions optional `.env` files, but it provides no warning about secret handling, logging, or avoiding inclusion in generated artifacts. In a workflow that runs scripts and writes metadata/manifests, absent guidance increases the risk that credentials are mishandled, stored insecurely, or exposed through debugging, prompts, or workspace files.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal