ClawHub

Doc2Slides

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends chosen text or documents to nyoi.io to create PDF slide decks, with privacy-sensitive behavior that users should understand first.

Install only if you are comfortable sending the specific notes, files, URLs, and generated slide outputs to nyoi.io and related storage infrastructure. Treat API keys, job IDs, webhook secrets, and download links as private, and avoid regulated or highly confidential documents unless you have reviewed the provider's privacy, retention, and access-control practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description contains very broad trigger language such as using the skill whenever the user mentions generic terms like slides, presentation, PPT, or wants content turned into a visual format. This can cause the skill to activate on loosely related requests and route user content to an external service even when the user did not clearly intend to use this integration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs sending user text, documents, file URLs, and base64 file contents to nyoi.io, but it does not require a clear user-facing disclosure that data will leave the current platform and be processed by a third party. This creates a privacy and data-handling risk, particularly if users provide sensitive documents without understanding the transfer.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The API reference instructs users to upload full document contents and supports outbound webhook callbacks, but it provides no warning about sending sensitive data to a third-party service, retention, access controls, or webhook security expectations. In a document-conversion skill, users may submit confidential reports, contracts, or internal notes, so missing privacy and data-handling guidance materially increases the risk of unintentional data disclosure or insecure callback use.

External Transmission

Medium
Category
Data Exfiltration
Content
### Submit job

```bash
curl -s -X POST https://www.nyoi.io/api/tools/doc-to-slides/execute \
  -H "Content-Type: application/json" \
  -H "X-Api-Key: <API_KEY>" \
  -d '<JSON body>'
Confidence
95% confidence
Finding
curl -s -X POST https://www.nyoi.io/api/tools/doc-to-slides/execute \ -H "Content-Type: application/json" \ -H "X-Api-Key: <API_KEY>" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal