ClawHub

Frontend Slides

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent presentation-building helper with some expected local file, browser, and optional autosave behavior to handle carefully.

Install is reasonable if you want HTML slide generation or PPT conversion. Be aware that PPT conversion extracts slide text, images, and notes into local output files; generated HTML runs local JavaScript; and optional edit mode may leave draft slide content in the browser's localStorage. For confidential presentations, review generated files before sharing and avoid edit mode on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The instruction to delete `.claude-design/slide-previews/` creates an unnecessary data-destruction step without requiring user confirmation or clarifying what will be removed. In agentic environments, even deletion of a seemingly temporary directory is risky because users may have stored work product there or path assumptions may be wrong, leading to unintended loss of files.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Automatically opening generated HTML in a browser causes local active content to execute immediately, including any embedded JavaScript the skill was instructed to generate. While this is part of the intended presentation workflow, it still creates an execution boundary crossing from file generation to code execution without an explicit warning or user approval.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guidance explicitly calls for auto-saving edited slide content to localStorage and supporting export/save file behavior, but provides no requirement for user notice, consent, retention controls, or safeguards around what gets persisted or overwritten. In a presentation-editing skill, this can expose sensitive business content to other users of the same browser profile, create unintended persistence of confidential drafts, or lead to accidental file modification/export without the user understanding the consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal