ClawHub

ppt pro

Security checks across malware telemetry and agentic risk

Overview

This presentation skill is largely purpose-aligned, but it needs Review because some helper paths can install packages, run browser automation, alter WPS settings, and read files outside the intended reference folder.

Install only if you are comfortable with a PPT skill that runs local Python/Node scripts, may install pip/npm packages, and uses a browser renderer. Use it in a disposable or project-scoped workspace, review generated planning JSON before running prompt assembly, avoid feeding untrusted HTML, and do not run the WPS helper unless you accept its persistent WPS configuration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        print(f"[Puppeteer] Converting {len(html_files)} HTML -> PNG ({scale}x)...")
        r = subprocess.run(
            ["node", str(script_path), json.dumps(config)],
            cwd=str(work_dir), timeout=300
        )
Confidence
89% confidence
Finding
r = subprocess.run( ["node", str(script_path), json.dumps(config)], cwd=str(work_dir), timeout=300 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not _check_puppeteer(work_dir):
        print("Installing puppeteer...")
        try:
            r = subprocess.run(
                ["npm", "install", "puppeteer"],
                capture_output=True, text=True, timeout=180, cwd=str(work_dir)
            )
Confidence
97% confidence
Finding
r = subprocess.run( ["npm", "install", "puppeteer"], capture_output=True, text=True, timeout=180, cwd=str(work_dir) )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except Exception:
            pass
        if wps_pid is not None:  # E4: kill by PID for reliable cleanup
            subprocess.call(f"kill -9 {wps_pid}", shell=True)


if __name__ == "__main__":
Confidence
95% confidence
Finding
subprocess.call(f"kill -9 {wps_pid}", shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions, yet its instructions explicitly require environment access, file reads/writes, and shell execution across Python, Node, npm, pip, bash, and related tooling. This creates a capability-transparency gap: users or orchestrators may invoke a skill that appears low-risk while it actually performs privileged local operations, including dependency installation and arbitrary script execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a PPT generation assistant, but its documented behavior includes substantial local execution and toolchain orchestration: packaging HTML, screenshotting local files, converting to PPTX, running validators, and installing/running external dependencies. Even if these actions support the feature set, the mismatch is security-relevant because it obscures the true attack surface and may lead users to approve execution they did not reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fallback path both installs and executes a Node/Puppeteer stack to process HTML, combining supply-chain risk with browser execution of untrusted content. In a PPT-generation skill, user-provided documents may be transformed into HTML, so this path is realistically reachable and increases danger because rendering content is part of normal workflow.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The loader falls back to `Path(rel_path)` and reads it if it exists, which bypasses the intended `references/` confinement. If an attacker can influence the planning JSON, they can cause arbitrary local file reads and inject sensitive file contents into the generated resource bundle, potentially exposing secrets or unrelated workspace data to downstream model prompts or outputs.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The helper silently alters persistent user configuration (`~/.config/Kingsoft/Office.conf`) and later force-kills a local process. Those side effects exceed normal file conversion behavior and can change application state across sessions, making the skill more dangerous because it performs host-level modifications not clearly disclosed to the user.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are extremely broad and match many ordinary requests about slides, decks, training materials, and document-to-PPT conversion. Because this skill has powerful local execution behavior, broad auto-invocation increases the chance it will activate in contexts where the user only wanted lightweight help, unnecessarily exposing filesystem and shell capabilities.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation recommends forcefully terminating a process with kill -9 and presents it as required cleanup without warning about data loss or collateral damage. In an agent skill context, normalizing destructive process termination can lead to unstable behavior, interrupted work, and unsafe automation if the PID is wrong or stale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt explicitly directs the agent to write generated planning JSON into workspace files (`planning/planning{n}.json`) without any user-facing disclosure or confirmation. Silent file creation/modification can cause unexpected workspace changes, overwrite existing artifacts, and break user trust, especially in agent environments where prompts can directly trigger tool-mediated writes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The later instruction reinforces repeated per-page writes to `planning/planning{n}.json` and operationalizes a multi-step file-generation workflow without warning about workspace modification or overwrite risk. In this skill context, repeated autonomous writes increase the chance of clobbering prior work, generating many files unexpectedly, or being abused to fill/alter the project workspace beyond the user's awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script loads attacker-controlled or user-supplied local HTML into Puppeteer using page.setContent(..., { waitUntil: 'networkidle0' }), which allows embedded external resources such as images, fonts, scripts, iframes, or CSS imports to trigger outbound network requests during rendering. In this PPT-generation context, users may reasonably expect local conversion to stay offline, so processing untrusted HTML can leak IP address, environment metadata, and access patterns to remote servers, and may also enable SSRF-like access if the runtime has network reachability to internal services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Silently installing Puppeteer changes the host environment and performs network access without clear user consent. While not always directly exploitable on its own, this behavior violates least surprise and can expose users to dependency tampering, unexpected downloads, and execution of install-time scripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup script automatically installs Python packages with pip when imports fail, which modifies the host environment without explicit user confirmation. Even if intended as convenience, unattended package installation can introduce supply-chain risk, alter shared environments, and surprise users running the skill in sensitive or production contexts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically runs npm install inside the scripts directory when Puppeteer is missing, causing network access and dependency installation without prior approval. This is risky because npm dependency resolution can execute lifecycle scripts and pull unpinned transitive packages, increasing supply-chain and environment-modification exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes to the user's WPS configuration file to accept the EULA and enable component mode without any prompt or warning. Silent persistent configuration changes are risky in an agent skill because they violate least surprise, may bypass expected consent flows, and can have lasting effects outside the immediate conversion task.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal