ClawHub

Pptx

Security checks across malware telemetry and agentic risk

Overview

This PPTX skill appears non-malicious, but it needs Review because its shipped tools go beyond the advertised PPTX scope and include an intrusive LibreOffice shim.

Install only if you are comfortable giving this skill shell-based local document editing and conversion authority. Use it on copies of presentations, review generated PDFs/JPEGs/thumbnails and unpacked XML before sharing, and avoid using the bundled helpers on DOCX/XLSX files unless you explicitly intend that broader Office-document processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs use of shell commands and filesystem operations (`python`, `grep`, `soffice`, `pdftoppm`, unpacking archives, writing outputs), yet no permissions are declared. This creates a transparency and policy-enforcement gap: users and orchestrators may invoke a skill with broader capabilities than advertised, increasing the chance of unintended file access, modification, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as PPTX-specific, but the referenced workflows and tooling appear capable of operating on broader Office ZIP-based formats such as DOCX and XLSX. That mismatch can cause the agent to route non-PPTX documents into a skill with undeclared behavior, expanding access to sensitive files and enabling document transformations outside the user's reasonable expectations.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file implements DOCX-specific XML processing under a skill whose manifest explicitly claims PPTX-only scope. This mismatch expands the agent's effective capabilities beyond what policy, routing, or user expectations would allow, creating a scope-bypass risk where Word documents may be parsed or modified by a skill that should only handle PowerPoint content.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements Word DOCX tracked-change parsing and modification logic even though the skill is explicitly scoped to PPTX presentation handling. Scope mismatches are dangerous because they can create unintended capability expansion, letting an agent touch non-presentation Office content and perform document-redlining operations outside the declared trust boundary, which can bypass user expectations, policy gating, or downstream validation tied to file type.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill manifest says this skill should be used for PPTX files, but the implementation explicitly packs and validates DOCX and XLSX as well. This scope mismatch can cause the agent to process document types outside the declared trust boundary, increasing the chance of misuse, unexpected file handling, or bypass of skill-selection safeguards that rely on accurate capability declarations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI and pack logic accept .docx, .pptx, and .xlsx outputs even though the skill is described as a PPTX skill. In an agent environment, this creates a confused-deputy risk where a PPTX-scoped tool can be invoked to manipulate other Office formats, undermining policy boundaries and making harmful or unintended document transformations easier.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The implementation materially exceeds the stated PPTX-only skill scope by accepting DOCX and XLSX files and performing DOCX-specific transformations. In an agent setting, this kind of scope drift weakens policy boundaries and can cause the wrong tool to be invoked on broader document types than users or orchestrators expect, increasing the chance of unauthorized file handling or unsafe downstream processing.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module docstring and CLI help advertise generic Office editing, which contradicts the PPTX-specific skill contract. Misleading capability documentation is dangerous in agent ecosystems because routing, trust decisions, and user consent may rely on manifest-scoped behavior; broad undocumented behavior makes unintended document access and modification more likely.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
The file implements `.docx` redlining validation even though the skill manifest claims the skill should be used only when `.pptx` files are involved. This scope mismatch is dangerous because it creates undeclared capabilities and increases the chance that agents or users will route Word-document content through a skill they did not consent to, weakening trust boundaries and review assumptions.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill uses an external `git` subprocess for diffing document content, a capability not justified by the stated `.pptx` presentation purpose. Undeclared process-spawning expands the attack surface, introduces dependence on host tooling and PATH resolution, and may violate sandbox or execution assumptions made for a supposedly narrow file-format skill.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger language is extremely broad: it says to use the skill any time slides, decks, presentations, or any `.pptx` mention appears, regardless of intended downstream use. Over-broad auto-invocation increases attack surface by causing unnecessary activation of a shell- and file-capable skill in contexts where simpler, safer handling would suffice.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The editing workflow instructs unpacking, manipulating, cleaning, and repacking presentation content but does not prominently warn that these steps modify files and may overwrite or alter document structure. In practice, that can lead to unintended data loss, corruption, or destructive edits to user documents, especially when applied automatically.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The conversion instructions create PDFs and JPEG slide renders on disk, but the documentation does not clearly warn about derivative files being written. This can leak presentation contents into additional artifacts, leave sensitive data behind in working directories, and surprise users who expected read-only inspection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal