ClawHub

openclaw-slides

Security checks across malware telemetry and agentic risk

Overview

This skill is a presentation generator/converter with expected local file processing and optional Python package installation, with no artifact-backed hidden, destructive, or exfiltrating behavior.

Install only if you are comfortable letting the agent read presentation files and image folders you provide, extract assets into an output directory, and optionally install python-pptx/Pillow from PyPI for conversion. Avoid using sensitive decks unless you trust the OpenClaw environment where the skill runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example invocation phrase is broad enough to overlap with generic creative-assistance requests, which can cause the platform to route unrelated presentation or pitch-deck requests to this skill automatically. In a skill that can generate HTML and convert uploaded PowerPoint files, over-broad triggering increases the chance of unintended activation, unnecessary file handling, and unexpected content generation beyond the user's precise intent.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README advertises PowerPoint conversion but does not clearly disclose that uploaded .ppt/.pptx content may be transmitted to the underlying system or processed outside the user's local context. This is a real transparency and privacy issue because users may provide sensitive presentation material without understanding how it is handled, stored, or exposed during conversion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal