ClawHub

html-ppt — HTML PPT Studio

Security checks across malware telemetry and agentic risk

Overview

This is a coherent static HTML presentation skill, with the main cautions being third-party CDN resources and demo slides that mention sensitive tools or commands.

Reasonable to install for making HTML slide decks. For confidential decks, avoid remote CDN loading by bundling Chart.js, highlight.js, and fonts locally. Treat bundled demo commands and API-key examples as placeholder slide content; do not copy them into real projects or configs without reviewing scope, backups, and credential handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The template loads Chart.js from a third-party CDN at runtime, which introduces a supply-chain and privacy risk into an otherwise local/static presentation artifact. If the CDN, dependency, or network path is tampered with, anyone opening the generated presentation could execute attacker-controlled JavaScript in their browser.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A local HTML PPT template is expected to be self-contained or at least predictable offline, but this file silently depends on an external script host. That expands the trust boundary to a third party and creates reliability, tracking, and script-injection risk when the deck is opened.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template pulls Chart.js from a third-party CDN at render time, creating an external trust and availability dependency in what is described as a static HTML presentation template. If the CDN is unavailable, blocked, or serves compromised content, generated presentations can fail or execute attacker-controlled JavaScript in the viewer's browser.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Including an undocumented external network dependency weakens the security and reliability model of a static presentation generator. It expands the attack surface to the network path and third-party infrastructure, which is especially relevant because presentation viewers may open the HTML in varied environments where remote script execution is unexpected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template pulls Chart.js from a third-party CDN at render time, which introduces a supply-chain and integrity risk for a tool advertised as generating static local HTML presentations. If the CDN content is modified, unavailable, or blocked, generated presentations may execute untrusted code or fail to render charts entirely.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
An unjustified external dependency weakens the trust boundary of an otherwise local, template-driven slide generator. In this context, every generated presentation inherits a runtime dependency on jsDelivr, creating privacy leakage, availability issues, and potential exposure to compromised third-party script delivery.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is triggered by a very broad set of presentation-related terms, including generic requests like 'presentation', 'slides', and 'deck'. Overbroad activation increases the chance the skill is invoked in contexts where a narrower or safer skill should handle the request, which can lead to inappropriate capability selection and unnecessary exposure to its file/template/tooling surface.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'When to use' section says to use the skill for 'any kind of slide-based output' and to prefer it over building from scratch, which encourages broad invocation outside a tightly scoped use case. This can cause the agent to route loosely related requests into this skill by default, increasing the risk of misapplication and compounding any downstream issues in the skill's templates, scripts, or external dependencies.

Missing User Warnings

Low
Confidence
95% confidence
Finding
This stylesheet imports fonts from Google Fonts, which causes clients viewing generated presentations to make outbound requests to a third-party service. That leaks metadata such as IP address, user agent, timing, and referrer context, and can create privacy/compliance issues when users are not informed or when offline/self-contained output is expected.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The slide content explicitly promotes recursive scanning of arbitrary folders and LLM-based entity extraction without any privacy warning, scoping guidance, or mention of sensitive-data handling. In the context of an agent skill that may influence user behavior, this can lead users to index confidential documents and potentially send extracted content or metadata to external models or services unintentionally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example command and config encourage scanning `~/notes` and `~/code/docs` with recursive inclusion of markdown, PDFs, and Python files, which commonly contain secrets, internal documentation, tokens, API keys, and personal information. Because the same example also references LLM extraction, the skill context makes this more dangerous: users are nudged toward indexing real personal directories without explicit safeguards or disclosure of downstream data exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The slide includes a runnable example command that directs the agent to create a new file in the user's repository (`add a CHANGELOG.md from git log`) without clearly warning that it will modify project contents. In an agent skill focused on generating presentations, showcasing repository-mutating commands can normalize unsafe copy-paste behavior and lead users to trigger unintended writes in real codebases.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These slides explicitly instruct users to enable an Obsidian Local REST API plugin that allows external processes to read and write the vault, but they do not warn that this grants modification access to the user's notes. In a skill that helps users connect Claude/MCP tooling to personal knowledge bases, omission of safety guidance increases the chance of accidental overexposure, unintended edits, or destructive automation against sensitive local data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The config example shows use of an Obsidian API key and localhost service endpoint but provides no warning that the key is sensitive and grants access to the vault through the local API. In context, this is security-relevant because users may copy the pattern directly, mishandle credentials, commit configs to source control, or underestimate the sensitivity of locally exposed services.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal