ClawHub

Slidev Maker

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Slidev helper skill with purpose-aligned examples, but users should be mindful of Slidev features that can execute code, use external services, expose remote controls, or record screen/camera content.

Reasonable to install for Slidev work. Before using its examples, avoid untrusted monaco-run code, configure PlantUML to a trusted server for private diagrams, use remote control only on trusted networks with a strong password, and review screen/camera content before recording or sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The file explains how to use `monaco-run` and even shows autorun-related configuration, but it does not warn that the embedded code executes in the browser. That omission could lead an agent or end user to include runnable snippets from untrusted sources, increasing the risk of script execution, data exfiltration within the presentation context, or unsafe browser-side actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This is a real security/privacy weakness in documentation: the file states that Slidev uses a public PlantUML server by default, but it does not clearly warn users that diagram source content is transmitted to that third-party service. Users may include confidential architecture details, credentials, internal hostnames, or business logic in diagrams and unknowingly exfiltrate them outside their environment. In this skill context, the issue is more dangerous because the skill is operational guidance that users may follow directly when preparing internal presentations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation encourages enabling Slidev's remote control feature on the local network but does not warn that this exposes presentation control and content to other reachable devices. In a skill intended to guide end users, omission of this security context can lead to unintended access, especially if weak or no password protection is used on shared or untrusted networks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The recording section instructs users to capture screen and camera content without mentioning privacy or data-sensitivity risks. Users may inadvertently record confidential material, personal data, or bystanders, then store or share the resulting files insecurely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal