ClawHub

Doc2slides

Security checks across malware telemetry and agentic risk

Overview

This document-to-slides skill is mostly purpose-aligned, but it can send document contents to external AI providers despite repeated local-only claims.

Install only if you are comfortable with document text potentially being processed by configured AI providers or a local/remote compatible model endpoint. Before using it on confidential documents, verify model configuration, avoid setting API keys unless intended, prefer JSON/template-only or truly local modes where possible, and be aware that setup installs packages and generated HTML may be rendered in a browser.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file header explicitly claims the script is 'LOCAL-ONLY' with 'No network requests', but the code constructs an LLM prompt from document contents and sends it through `LLMAdapter.generate()`. This is dangerous because users and downstream tooling may trust the local-only claim and provide sensitive documents that are actually transmitted to an external model endpoint, creating a confidentiality and compliance risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is marketed as local-first document-to-PPT conversion, yet this script sends up to 50,000 characters of document content to an LLM backend for processing. In a document-conversion context, users may supply proprietary or regulated files, so undisclosed remote transmission materially increases privacy, IP leakage, and regulatory exposure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This script directly interpolates user-controlled strings into HTML templates with repeated .replace() and f-strings, without any HTML escaping or sanitization. If the generated slides are opened in a browser or embedded in a webview, attacker-supplied content can inject arbitrary markup or JavaScript, causing stored/client-side XSS despite the misleading 'local-only' security comment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script renders attacker-controlled or document-derived HTML in a full Chrome engine, which enables JavaScript execution and external resource loading during conversion. In a document-to-slides pipeline, this can cause unintended network egress, tracking, SSRF-like access from the host environment, or exploitation of browser bugs, especially because no flags restrict script execution or outbound fetches.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The security comment is misleading because the implementation does more than 'only call a local Browser': it loads arbitrary HTML into Chrome headless without controls preventing active content execution or remote fetches. That mismatch can cause developers and reviewers to underestimate the trust boundary and the risk of processing untrusted slide HTML.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The header explicitly claims the adapter is 'LOCAL-ONLY' and makes 'No network requests', but the implementation initializes remote clients for OpenAI, Zhipu, and DeepSeek and sends prompts to external endpoints. This kind of deceptive or inaccurate security annotation can cause reviewers and users to trust the component with sensitive document contents that are actually transmitted off-host.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code creates clients for remote providers and is designed to transmit prompts to external APIs, which expands the trust boundary of a 'local-first' document-to-slides skill. If users process confidential documents, their contents may be exfiltrated to third-party services contrary to expectations set by the skill description.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file-level security comment claims the script 'only performs local operations,' but the code clearly sends slide data to an LLM via `LLMAdapter.generate(...)`. This is a security-relevant misrepresentation because users may provide sensitive document content under the false assumption that it never leaves the local environment, creating data exposure and trust-boundary risks.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The file-level comment states there is 'no remote code execution', but the fallback path later invokes another Python script via subprocess. While this is local process execution rather than direct attacker-supplied shell execution, the misleading assurance can cause downstream reviewers or agents to trust code paths that do execute code indirectly. In a skill that processes LLM output and user-influenced slide data, hidden execution paths increase risk and reduce auditability.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file header claims the script is 'LOCAL-ONLY' and makes no network requests, but the implementation accepts URL inputs and passes them to an external CLI that may fetch remote content. This mismatch is dangerous because it can mislead reviewers, users, and policy enforcement into trusting a broader capability than disclosed, enabling unexpected remote access and data flow.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script advertises processing of URLs in addition to local files, which expands the skill's effective capability beyond a document-to-slides tool for local documents. Scope expansion is security-relevant because it increases attack surface, allows remote content ingestion, and may bypass user expectations or marketplace review assumptions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code executes an external 'summarize' binary on user-controlled input, including URLs, which delegates trust to another executable outside this script's control. That creates a significant boundary-crossing risk: the external tool may perform network access, process untrusted files, or behave unsafely, and this script provides only minimal validation before invoking it.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file explicitly claims it is "LOCAL-ONLY" with no network requests, yet later sends slide content to an LLM adapter for generation. That mismatch can cause users or host systems to trust the component with sensitive document data under false assumptions, leading to unintended data disclosure if the adapter uses a remote model.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The matcher constructs a prompt containing full slide JSON, including title, key points, content detail, and data points, then passes it to LLMAdapter.generate(). In a skill advertised as local-first, this creates a data exfiltration path for potentially sensitive document contents if the adapter is backed by a cloud LLM.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The prompt explicitly says not to fabricate data, but later instructs the model to infer replacement labels when labels appear truncated. That creates a data-integrity vulnerability: the model may silently transform incomplete or ambiguous source data into plausible-looking business metrics, causing misleading charts or claims in generated slides. In this skill context, that is more dangerous because the output is presentation material intended to look polished and authoritative, increasing the chance users will trust invented semantics.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The inline comment states that the workflow only uses a local browser for HTML rendering, but the file also executes multiple local Python scripts and a bash script via subprocess. This is a misleading security claim that can cause reviewers or users to underestimate the attack surface and trust the pipeline more than they should.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The header explicitly claims there are 'No network requests' and 'no external API calls', but the script runs 'pip3 install' against PyPI and may also require downloading Playwright/browser components. This is a deceptive or inaccurate security claim that can cause users or downstream agents to approve execution under false assumptions about outbound network activity and supply-chain exposure.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger phrases are broad enough to match many ordinary requests about making presentations, which increases the chance of automatic activation on unrelated or higher-sensitivity content. In an agent setting, overbroad invocation can lead to unintended file processing, unnecessary permission use, or accidental transmission of document contents if optional networked analysis is enabled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill notes optional LLM-provider support but does not clearly warn that document contents may be sent to OpenAI, Zhipu, DeepSeek, or compatible endpoints. This is dangerous because users may input confidential PDFs, reports, or internal documents under the assumption of local-only handling, creating a real data-exfiltration and privacy risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow passes document-derived slide content and user instructions into an LLM-based generator without any visible consent, disclosure, or guarantee that the model is local-only. In a document-processing skill, this creates a real data exposure risk because sensitive source material may be transmitted to an external model backend depending on the LLMHTMLGenerator implementation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Generated HTML is opened with Playwright using file:// and wait_until='networkidle' without any request interception or offline mode, so embedded remote assets, scripts, or URLs in LLM-generated HTML can trigger outbound network requests during rendering. Because the HTML is influenced by document content and model output, this expands the attack surface to privacy leaks, tracking, and SSRF-like access from the renderer environment.

Ssd 1

High
Confidence
93% confidence
Finding
The prompt states that user-supplied natural-language instructions have the highest priority and override all default rules. This weakens safety and output constraints, allowing prompt injection or abusive instructions to bypass document-handling limits, encourage inclusion of sensitive content, or undermine format and policy requirements imposed by the developer.

Ssd 3

Medium
Confidence
90% confidence
Finding
The prompt schema asks for `source_content` containing the complete original document, even though later prompt text contradicts this and says not to include the raw document. In practice, such conflicting instructions can cause the model to echo sensitive source material into the generated JSON, increasing exposure in logs, output files, and later processing stages.

Ssd 1

High
Confidence
93% confidence
Finding
The code explicitly gives user instruction 'highest priority' and says it overrides all default prompt rules, which can nullify the generator's own safety and formatting constraints through prompt injection or adversarial instructions. Because this component uses an LLM to emit HTML, an attacker could coerce the model to ignore restrictions like 'no JavaScript' or to produce malformed or unsafe output, especially since validation is incomplete and only checks a limited set of patterns.

Ssd 2

Medium
Confidence
99% confidence
Finding
The comment explicitly says URL detection is written via string concatenation 'to avoid triggering security scanners,' which is a strong indicator of deliberate evasion. Even though the logic is simple, intent to hide network-related behavior from automated review materially increases risk and undermines trust in the codebase.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal