ClawHub

slide-to-video-converter

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real slide-to-video tool, but its optional TTS server is too open and could expose or overwrite local files if reachable by others.

Review before installing, especially for confidential presentations. Prefer local TTS for sensitive content, run it in a constrained project directory or virtual environment, and do not start the HTTP server unless it is bound to localhost, access-controlled, and patched to restrict input and output paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = ["ffmpeg", "-y", "-f", "concat", "-safe", "0", "-i", filelist,
               "-c", "copy", "-avoid_negative_ts", "make_zero",
               "-movflags", "+faststart", str(output_path)]
        r = subprocess.run(cmd, capture_output=True, text=True)
        if r.returncode != 0:
            flush_print(f"  ❌ Concat failed: {r.stderr[-300:]}")
            return False
Confidence
83% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs users to run Python scripts that read and write files, invoke shell-accessed tools like ffmpeg and LibreOffice, and use networked TTS services, yet it declares no permissions or capability warnings. This creates a transparency and consent gap: an agent or user may execute a skill with broader local/system and network effects than the metadata suggests.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The /tts/slides endpoint accepts a user-controlled script_path and reads that path from local disk without restricting it to an approved directory or filename pattern. A remote caller can cause the server to open arbitrary local files, which can expose sensitive data or trigger parsing of unintended files if the service is network-accessible.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The /tts endpoint uses user-supplied save_to_file directly in OUTPUT_DIR / req.save_to_file and then writes to that path. Because no normalization or traversal check is performed, attackers can supply paths like ../../... to write files outside the intended output directory, potentially overwriting application files, startup scripts, or other sensitive locations accessible to the server process.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promotes Edge TTS as the default online mode but does not warn that slide text, speaker notes, or derived content may be sent to an external Microsoft-operated service. In this context, presentations often contain confidential business, educational, or personal material, so silent transmission to a third party can cause data exposure and compliance issues.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal