ClawHub

Frontend Slides

Security checks across malware telemetry and agentic risk

Overview

This skill is a presentation-generation helper with disclosed, purpose-aligned local file handling and no evidence of hidden or destructive behavior.

Install this if you want an agent to create or convert slide decks. When converting files, point it only at the specific PPT/HTML or asset folder you intend to use, install optional Python packages only when needed, and avoid inline editing on shared browsers if localStorage persistence is a concern.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README includes very broad natural-language trigger examples such as creating a pitch deck or converting a presentation, which are common user requests and may cause the skill to be invoked unintentionally when a user is asking more generally for presentation help. In a routing or auto-invocation system, this can lead to overbroad matching, unexpected file handling, or execution of the wrong capability, even though the content itself is not overtly malicious.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger "Создай pitch deck для моего AI-стартапа" is broad enough to overlap with normal presentation-related user requests, which can cause the skill to activate in situations where the user did not explicitly ask for this specific tool. Over-broad activation increases the chance of unintended file handling or generation behavior, especially because this skill can also convert uploaded PowerPoint files into executable HTML with embedded CSS/JS.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal