ClawHub

anthropic-pptx

Security checks across malware telemetry and agentic risk

Overview

This PPTX skill is mostly for presentation work, but it bundles broader Office document mutation and a native LibreOffice shim that deserve review before installation.

Install only if you are comfortable with a PPTX skill that can also process Word and Excel Office archives. Use it on copies of documents, avoid sensitive files unless you have reviewed the workflows, and be especially cautious on shared systems because the LibreOffice helper can compile and preload native code from temporary storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file processes Word DOCX redline content even though the skill manifest says the skill should only be used for .pptx presentation files. That scope mismatch is dangerous because it creates hidden capability outside the declared trust boundary, increasing the chance the agent will open, parse, or modify unsupported document types without appropriate review, routing, or safeguards.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill manifest says this skill should be used specifically for PPTX-related work, but the implementation explicitly supports packing DOCX and XLSX files as well. This creates a scope mismatch that can cause the agent to process document types outside the declared trust boundary, undermining policy controls, routing assumptions, and security review expectations for the skill.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The runtime check accepts .docx and .xlsx outputs even though the skill metadata frames this as a PPTX-focused presentation skill. In an agent system, this can be exploited to bypass tool-selection and governance assumptions, letting users or chained prompts invoke broader Office document manipulation than intended.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Compiling and injecting a native `LD_PRELOAD` shim is a powerful code-execution mechanism that goes well beyond ordinary `.pptx` handling. In this skill context, that makes the helper more dangerous because presentation conversion should not require dynamic interposition from a temp-built shared object, and any compromise of that path yields arbitrary process-level behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script explicitly advertises support for .docx and .xlsx files even though the skill is declared as pptx-focused. In an agent setting, this scope mismatch can cause the skill to be invoked on broader document types than users or orchestrators expect, increasing the attack surface and enabling unintended processing of Word or Excel content.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The validator dispatch logic handles .docx and accepts .xlsx extensions, which exceeds the declared scope of the pptx skill. In a security-sensitive agent environment, this kind of capability drift is dangerous because policies, user expectations, and downstream safeguards may assume only presentation files are touched.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
This file implements Word .docx redlining validation inside a skill declared as PowerPoint/.pptx-focused, which indicates capability drift and mismatch between declared and actual behavior. In an agent environment, undeclared document-processing logic expands the trust boundary, increases attack surface, and can cause the agent to access or transform file types users and reviewers did not expect this skill to handle.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
A pptx-oriented skill containing subprocess-based git diff functionality is unjustified by its declared purpose and introduces unnecessary external command execution capability. Even though the current arguments are fixed, this extra capability increases environmental dependency risk, executable hijacking/path issues, denial-of-service potential, and overall attack surface in a context that should be limited to presentation handling.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger criteria are extremely broad, directing use whenever terms like 'deck,' 'slides,' or 'presentation' appear, regardless of actual need. Overbroad invocation can route unrelated tasks into a skill with shell and file-handling capabilities, unnecessarily exposing user data and increasing opportunities for misuse or prompt-triggered execution on untrusted files. The context makes this more dangerous because Office documents are common attacker-controlled inputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The helper silently prepares an environment that may trigger runtime compilation, temp-file writes, and `LD_PRELOAD` injection without any explicit user-facing acknowledgment or trust boundary checks. In a file-handling skill, this hidden behavior increases operational and supply-chain risk because processing a seemingly ordinary presentation can cause native code to be built and loaded behind the scenes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal