ClawHub

Gamma Presentation Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Gamma presentation tool, but it needs review because it sends presentation content to Gamma and can use local Gamma credentials with inconsistent disclosure.

Install only if you are comfortable sending presentation prompts, outlines, and slide content to Gamma. Use a scoped Gamma API key, review whether ~/.gamma/config.json exists before running it, avoid confidential or regulated content unless approved for Gamma processing, and choose output paths carefully because overwrite behavior is not documented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes external code with access to an environment variable and an external API, yet the skill manifest does not clearly declare corresponding permissions. Undeclared env/network use weakens reviewability and user consent, making it easier for sensitive data or prompts to be sent off-box without transparent disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description says no Gamma account is needed, but the implementation requires a Gamma API key and reportedly reads local credential material from ~/.gamma/config.json. This mismatch is security-relevant because it can mislead users and reviewers about credential handling, local file access, and the true trust boundary of the skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly says the skill sends user-provided topic/content to the Gamma API and that the skill owner pays, but it does not clearly warn users that their prompts and presentation content are transmitted to a third-party service. In an agent skill context, users may provide sensitive business, customer, or internal planning data, so the lack of an explicit privacy/data-sharing notice creates a real risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does not clearly warn that user-supplied presentation content is transmitted to Gamma's external service for processing. That omission can cause users to unintentionally send confidential business, personal, or regulated data to a third party, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to send user-provided presentation content to Gamma's external API using `GAMMA_API_KEY`, but it does not warn that the content will leave the local environment and be transmitted to a third party. This creates a real privacy and data-handling risk because users may provide sensitive business, customer, or internal material expecting local assistance rather than external sharing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal