ClawHub
Back to skill

Security audit

Slidev Datav Dashboard

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal Slidev dashboard scaffold; its main risks are ordinary third-party npm and webfont dependencies.

Install only in projects where npm dependency installation and optional Google Fonts loading are acceptable. For production or offline use, pin dependency versions, keep a lockfile, and consider replacing the remote font import with local or system fonts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The stylesheet pulls fonts from fonts.googleapis.com at build or runtime, creating an external network dependency that can leak metadata such as IP address, user agent, and access timing to a third party. In environments expecting local-only or offline-capable dashboard assets, this also weakens reproducibility and can break builds or presentations when network access is restricted.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"vue": "^3.4.0"
  },
  "devDependencies": {
    "@slidev/cli": "latest",
    "@slidev/theme-default": "latest"
  }
}
Confidence
96% confidence
Finding
"@slidev/cli": "latest"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "@slidev/cli": "latest",
    "@slidev/theme-default": "latest"
  }
}
Confidence
96% confidence
Finding
"@slidev/theme-default": "latest"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"export": "slidev export"
  },
  "dependencies": {
    "@kjgl77/datav-vue3": "^1.7.4",
    "vue": "^3.4.0"
  },
  "devDependencies": {
Confidence
88% confidence
Finding
"@kjgl77/datav-vue3": "^1.7.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@kjgl77/datav-vue3": "^1.7.4",
    "vue": "^3.4.0"
  },
  "devDependencies": {
    "@slidev/cli": "latest",
Confidence
88% confidence
Finding
"vue": "^3.4.0"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal