ClawHub

Report Ppt Generator Pro

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it helps generate PowerPoint files from user-provided content, with disclosed use of local files, LLMs, optional image generation, and PPTX export.

Reasonable to install if you want automated PPT generation. Before using it with confidential material, confirm which LLM/provider will receive your text and screenshots, review the nanobanana-skill dependency if you use AI illustrations, and avoid untrusted image URLs unless your environment restricts outbound requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are generic presentation-related commands such as 'generate ppt' and 'create slides', which are likely to overlap with ordinary user requests and cause the skill to activate when the user did not explicitly intend to use it. In a skill that can process documents, style examples, previews, and exports, unintended activation increases the chance of unnecessary data exposure and unexpected autonomous actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide recommends fetching arbitrary network image URLs directly with `fetch(url)` and embedding the results, but it does not warn about privacy, metadata leakage, or server-side request risks. In a PPT-generation skill that may process user-supplied image sources, this can cause outbound requests to attacker-controlled hosts, expose IP/network information, and potentially enable SSRF against internal resources if the runtime has network access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal