ClawHub

ZeeLin Auto-PPT

Security checks across malware telemetry and agentic risk

Overview

This presentation skill largely does what it advertises, but it can process every PDF on the user's Desktop without a clear per-file approval step.

Install only if you are comfortable with an agent using your logged-in NotebookLM browser session, sending presentation content and optional YouTube queries to external services, and writing outputs to Desktop. Avoid --all-desktop unless your Desktop contains only intended presentation PDFs; prefer exact file names for merge and cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly performs file reads/writes and network-driven browser automation via exec and external scripts, yet declares no permissions. This deprives users and the platform of an accurate trust boundary and hides the true capability surface, especially because it writes files to ~/Desktop and reads local reference files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The public description says the skill generates PPT/PDF through NotebookLM, but the instructions also authorize broader behaviors: YouTube searching, URL harvesting, adding web sources, merging desktop PDFs, deduplicating pages, and regenerating PPTX. This mismatch can cause users to approve a seemingly narrow presentation tool while it actually accesses network content and modifies local desktop files.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This file recommends direct execution of local shell and Python commands using absolute filesystem paths, which can create, modify, and merge user files without an explicit safety gate. In an agentic environment, operational instructions that normalize command execution increase the risk of unintended file-system side effects and over-broad behavior beyond passive content generation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script advertises PPT generation via NotebookLM, but optional environment variables enable unrelated YouTube searching and harvesting of video URLs as additional sources. This expands the skill's data-access and browsing scope beyond the core workflow, which is risky because it can cause unexpected external navigation and content ingestion without clear user awareness or consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code autonomously opens YouTube search results, extracts video links from the DOM/snapshots, and feeds them into NotebookLM as sources. In the context of a PPT-generation skill, that behavior is not strictly necessary and increases exposure to unintended browsing, untrusted content ingestion, and potentially privacy-sensitive user context leakage through automated web interactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exports artifacts to ~/Desktop and recommends post-processing across desktop PDFs, but it does not provide a clear up-front warning that existing desktop files may be enumerated, merged, or modified. In context, the '--all-desktop' example increases risk because a broad file-selection behavior could affect unrelated user documents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs merging PDFs and optionally postprocessing outputs, but does not require explicit notice or confirmation that local files will be created, modified, or combined. In an autonomous skill, silent file operations can surprise users, overwrite artifacts, or process unintended files if glob patterns match more broadly than expected.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal