ClawHub

Kai Export PPT Lite

Security checks across malware telemetry and agentic risk

Overview

This is a coherent HTML-to-PPTX exporter, but it can install Python dependencies and fetch images referenced by input HTML, so it should be used with trusted files.

Install only if you are comfortable with the skill installing Python packages or preinstall the listed dependencies yourself and disable auto-installation. Convert trusted HTML when possible, because image references can cause network requests or include local image files in the generated PPTX. Do not host or use the bundled demo HTML as an editable shared presentation without reviewing its save and presenter-mode JavaScript.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.environ.get("KAI_EXPORT_PPT_LITE_AUTO_INSTALL", "1").lower() in {"0", "false", "no"}:
        return False
    try:
        subprocess.run(
            [sys.executable, "-m", "pip", "install", *missing],
            check=True,
            stdout=sys.stderr,
Confidence
96% confidence
Finding
subprocess.run( [sys.executable, "-m", "pip", "install", *missing], check=True, stdout=sys.stderr, stderr=sys.stderr, )

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This HTML is not just a passive slide deck: it enables in-browser editing of slide content and speaker notes, then attempts to persist the modified document back to the current path using a PUT request. In a skill or artifact viewer context, that creates an unexpected client-side write capability that could alter local or hosted content, tamper with presentation material, or overwrite files if served by an endpoint that accepts PUT.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The advertised Ctrl+S behavior masks the fact that the code issues a PUT request to the current path with the full HTML document as body. In an agent/skill context, this can cause unintended network writes to a same-origin endpoint, potentially overwriting content or persisting user-edited data if the hosting environment accepts PUT, which is more dangerous than a local-only save expectation.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The embedded editor can serialize the full DOM and attempt a same-path HTTP PUT to overwrite the current HTML file, which is a state-changing network action inconsistent with the page’s 'zero-dependency / local HTML' framing. In permissive hosting or local companion-server setups, this could let a user or another party with page access modify published slide content unexpectedly, including speaker notes and editable text, creating integrity and trust risks.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The edit mode does more than in-browser editing: it attempts an HTTP PUT to location.pathname, which can write modified HTML back to whatever server endpoint hosts the file if that server accepts PUT. In a skill/demo context, this is risky because opening an untrusted presentation and pressing save could trigger unintended server-side content modification or overwrite attempts against same-origin resources.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The save routine attempts to write the modified HTML back to the current path using an HTTP PUT request, which contradicts the file's 'single self-contained/no server required' messaging and can cause unintended persistence when the file is hosted behind a writable endpoint. If served from an environment that accepts PUTs, edits made in-browser could overwrite shared content or create unauthorized changes without clear user understanding.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation explicitly says the JavaScript can be inserted directly without modification, but the code later enables editing and persistence of the current HTML via saveFile(), including a network PUT to location.pathname. That mismatch is security-relevant because consumers may embed the script assuming it is presentation-only, while it actually performs state-changing write behavior and can overwrite or transmit document contents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Runtime package installation is not necessary for core HTML-to-PPTX conversion and introduces environment mutation plus supply-chain exposure. In a skill context, this is more dangerous because the agent may run unattended and the user may not expect outbound package retrieval or local installation side effects.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The exporter fetches remote `http(s)` image URLs during conversion, creating network access from untrusted HTML input. This can be abused for SSRF-like requests, unexpected data egress, or contacting attacker-controlled hosts simply by embedding remote image references in the source HTML.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The editor binds Ctrl/Cmd+S to save the entire modified HTML back to the current pathname via HTTP PUT without any confirmation, capability check, or clear warning. In an environment where the current path accepts authenticated writes, a user could unintentionally overwrite published content or persist tampered slide content, creating integrity and content-defacement risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The edit mode makes slide content directly editable and allows Ctrl+S to overwrite the current presentation via PUT or trigger a download without an explicit warning, confirmation, or trust boundary disclosure. In a skill context where generated HTML may be opened locally or hosted, this can lead to accidental modification, unsafe persistence of tampered content, or unexpected writes to a server endpoint if PUT is accepted.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Speaker notes are broadcast over a predictable BroadcastChannel name and received by any same-origin page that joins that channel. That means notes, slide index, and presentation state can be passively observed or influenced by other pages under the same origin without explicit user awareness, which is especially risky because speaker notes often contain sensitive talking points or internal-only material.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The in-browser editor saves modified HTML back to the current path using an automatic HTTP PUT on Ctrl/Cmd+S, without a confirmation prompt or clear indication that it will attempt to overwrite the source file. In environments where the page is served from a writable local/dev server, this can unexpectedly alter hosted content or demo artifacts, increasing risk of accidental defacement or persistence of unintended edits.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file exposes an edit mode that makes slide content editable and binds Ctrl/Cmd+S to save the modified HTML back via PUT to the current path, with a fallback that downloads a replacement HTML file. In the skill context, this can unexpectedly overwrite local content or trick users into persisting unreviewed changes, which is risky because the entire HTML/notes state is treated as trusted and saved without a clear confirmation flow or warning.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The page makes unsolicited network requests to Google Fonts, which leaks user metadata such as IP address, user agent, timing, and referrer context to a third party. In a supposedly self-contained local presentation tool, this weakens privacy expectations and can surprise users in restricted or offline environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The saveFile() function issues a PUT to the current path with the full edited HTML without any confirmation, warning, or origin/path restriction. In environments that expose writable static files or a permissive local/dev server, a user pressing Ctrl+S could unintentionally overwrite hosted content, enabling unauthorized content modification or persistence of injected edits.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The page enables editing arbitrary slide text and binds Ctrl/Cmd+S to write the current DOM back to the HTML file via PUT, with fallback download, without any confirmation or trust boundary warning. In a skill/demo context that may be opened locally or served from a writable endpoint, users can unintentionally persist modified content, including unsafe markup introduced during editing, causing integrity loss and possible stored client-side script injection when the file is reopened.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The inline save feature serializes the full document and attempts to write it back to the current path via HTTP PUT when the user presses Ctrl/Cmd+S, with no confirmation or clear warning. In environments where the page is served from a writable endpoint, accidental edits or socially induced keypresses could overwrite published content, causing unauthorized content modification or data loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Opening this local HTML file triggers requests to Google Fonts, which discloses the user's IP address, user agent, timing, and likely referrer/context to a third party without any notice. In a skill advertised as self-contained and usable locally, this is a meaningful privacy and trust issue because merely viewing the deck causes external network contact.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file enables arbitrary in-browser editing of slide content and speaker notes, then attempts to persist the modified HTML back to the current path via PUT, falling back to a downloaded replacement file. In a skill/demo context, this can mislead users into overwriting local or hosted content without clear warning, increasing the chance of accidental tampering, loss of trusted content, or persistence of unsafe edits.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The page binds Ctrl/Cmd+S to attempt an HTTP PUT to the current path and silently falls back to downloading the full edited HTML, which can persist modified content or notes without clear consent or visibility. In a skill context where users may edit sensitive slide text or speaker notes in-browser, implicit save/export behavior can cause unintended local or server-side data disclosure or overwrite if hosted behind a permissive endpoint.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The presenter view shares slide notes over a BroadcastChannel to another window without any disclosure that speaker notes are being transmitted to a second browsing context. While BroadcastChannel is same-origin scoped, opening presenter mode can expose confidential notes to any same-origin page or tab listening on the predictable channel name, which matters if this HTML is hosted in a shared origin.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The editor saves the entire current DOM as a downloadable HTML file, including per-slide speaker notes stored in data-notes attributes and any user edits, without a clear warning or export review step. This can cause inadvertent disclosure of confidential notes, internal talking points, or sensitive content when users share the exported deck, especially because the notes are embedded in the file rather than kept separate.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The editable presentation allows Ctrl/Cmd+S to persist changes by attempting server writeback or silently downloading a replacement file, with no confirmation dialog or warning about what will happen. This can lead to accidental overwrites, confusion about where data is being stored, and unintended modification of presentation artifacts, especially in shared or hosted contexts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The saveFile() function serializes the full HTML document and sends it via fetch(location.pathname, { method: 'PUT' }) with no user-facing warning, confirmation, or clear indication that content may be transmitted to a server or overwrite an existing resource. In this skill context, the code is presented as drop-in slide functionality, which makes the hidden persistence and network behavior more dangerous because adopters may not expect document contents, including speaker notes, to be written back over HTTP.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal