ClawHub

Claw Presenter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it converts user-provided PPT/PDF files into slide images and narration data, with ordinary install and local-output cautions.

Install this in a virtual environment or sandbox if possible, review before allowing sudo package installs, and avoid processing untrusted or highly sensitive decks unless you are comfortable with their extracted notes and slide text being saved locally under presentations/<name>.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match ordinary requests for presentation help, which can cause this skill to activate when the user did not intend file parsing or shell-backed processing. In context, that matters because the skill may then ask for or operate on local files and generate outputs, expanding access beyond a simple conversational request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes extracted slide text, speaker notes, and generated metadata to presentation.json under a persistent output directory without any explicit warning, consent, retention control, or cleanup. In this skill's context, presentation notes commonly contain sensitive internal speaking points, unpublished content, or secrets, so silent persistence increases the risk of unintended disclosure to other users, tools, or later processes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx
Pillow
pdf2image
pdfplumber
Confidence
96% confidence
Finding
python-pptx

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx
Pillow
pdf2image
pdfplumber
Confidence
99% confidence
Finding
Pillow

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx
Pillow
pdf2image
pdfplumber
Confidence
95% confidence
Finding
pdf2image

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx
Pillow
pdf2image
pdfplumber
Confidence
95% confidence
Finding
pdfplumber

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
Pillow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal