ClawHub

HTML前端视频设计规范

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate slide-building skill, but its optional helpers can publish decks to a public Vercel URL and download or install external tooling with limited last-step safeguards.

Install only if you are comfortable with optional public hosting and runtime package downloads. Before using deploy, review the deck and asset folder for secrets, private business material, customer data, speaker notes, or internal images; use local HTML/PDF export for sensitive decks. Expect PDF export to download Playwright/Chromium if missing, and check Vercel settings or delete the project when a public URL should no longer exist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest presents the skill as a slide creation/conversion tool, but the body adds deployment to a public Vercel URL. That is a materially different capability because it can exfiltrate generated or user-supplied presentation content to an internet-accessible endpoint, which changes the trust and threat model.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs the agent to use external hosting and network-dependent tooling such as Vercel CLI, Node installation, and Playwright/Chromium downloads. These actions expand the attack surface beyond local slide generation by introducing third-party services, package installs, authentication flows, and outbound network activity that may expose user content or environment metadata.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script performs `npm install playwright` and `npx playwright install chromium` at runtime, which downloads and executes third-party code and binaries from the network during normal use. Even though this appears intended for convenience rather than abuse, runtime dependency installation expands the trust boundary, reduces reproducibility, and creates supply-chain risk if registries, packages, or transit paths are compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes deploying generated presentations to a permanent live URL but does not warn that the content may become publicly accessible or indexed if misconfigured or shared broadly. Because presentations often contain business plans, customer data, internal roadmaps, or other sensitive material, users may unintentionally expose confidential information.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill offers browser-based editing with auto-save to localStorage but does not clearly warn that presentation text will persist on the device until manually cleared. On shared or managed machines, sensitive draft content could remain accessible to later users or browser profiles.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase at line 8 is broad enough to match common user requests for creating presentations, which can cause the skill to activate in situations where the user did not specifically intend to invoke this capability. In a routing or auto-invocation system, this increases the risk of unintended tool selection, misrouting, and reduced user control over how content is handled.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger on line 10 is likely to match ordinary conversation about generating slides or presentations, making accidental activation plausible. This is dangerous because overly permissive triggers can redirect benign requests into a powerful generation workflow without clear user intent, especially in systems that auto-select skills based on phrase matching.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase on line 12 overlaps with common conversational requests and does not clearly distinguish this specialized front-end slide skill from general assistance. In context, that ambiguity can lead to unintended invocation, which may expose user content to an unnecessary transformation pipeline or create confusion about what the system is doing.

Vague Triggers

Low
Confidence
86% confidence
Finding
The manifest lists multiple broad triggers but provides no trigger-boundary guidance, scoping rules, or exclusion conditions. Without these controls, the routing layer has no clear way to distinguish between legitimate requests for this specialized slide-generation skill and ordinary conversational requests about presentations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script can automatically install the Vercel CLI globally and later perform a public production deployment without an explicit user confirmation immediately before those actions. In a skill context, this is risky because invoking the script may publish potentially sensitive slide content to a permanent public URL and modify the user's environment by installing software they did not clearly approve.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script does disclose that Playwright is being set up, but it does not clearly communicate that it will fetch packages and a Chromium binary from the network and then execute that tooling. In a local utility script, silent or minimally disclosed network installation is risky because users may not expect code download/execution during a PDF export operation, making social engineering and supply-chain compromise more plausible.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal