ClawHub

Emar PPT Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is a coherent Emar presentation-template skill, but its generated internal decks can load third-party fonts and executable JavaScript from public CDNs without clear user-facing disclosure.

Review before installing if the decks may contain internal or confidential material. Prefer a revised version that vendors fonts and JavaScript locally, removes CDN fallbacks, and documents any unavoidable external network requests; the artifact does not show malware, credential theft, or destructive behavior.

SkillSpector (4)

By NVIDIA

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template pulls Google Fonts from external domains at render time, which introduces third-party network dependency and data leakage for an internal presentation artifact that is supposed to be a single HTML file. This enables outbound requests, tracking, and supply-chain risk if the remote content changes or is blocked.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The template executes JavaScript fetched at runtime from public CDNs, including lucide and a fallback import of Motion from jsDelivr. That creates classic supply-chain and network-execution exposure: anyone rendering the deck may execute modified third-party code, and internal-use context makes unexpected outbound code loading more sensitive.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The template is advertised as a single-file HTML deck, but it fetches fonts from Google at runtime. This creates an external dependency that can leak viewer metadata such as IP address and user agent, break offline use, and expose the deck to supply-chain or availability risk if the remote resource changes or is unavailable.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The HTML loads executable JavaScript from third-party CDNs at runtime (Lucide and Motion fallback). Any compromise of those CDN resources, DNS, or upstream packages would result in arbitrary script execution in the viewer's browser under the page's origin, which is more severe than passive asset loading.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal