ClawHub

PPT Master

Security checks across malware telemetry and agentic risk

Overview

PPT Master is mostly a coherent presentation-generation skill, but it includes and recommends watermark removal plus broad web fetching with weak transport safeguards, so it should be reviewed before use.

Install only if you are comfortable auditing the workflow first. Remove or avoid the Gemini watermark-removal tool and related instructions, confirm rights for all generated or downloaded assets, avoid submitting confidential project content to third-party image services without approval, and run URL conversion only for public or authorized pages with network/TLS safeguards enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs agents to remove watermarks from AI-generated images, which facilitates circumvention of attribution, licensing, or provider safeguards unrelated to legitimate PPT/SVG generation. In this context, the instruction enables misuse of third-party content and can lead to copyright, terms-of-service, and trust violations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs users to remove Gemini-generated image watermarks using a local script or third-party tool. Watermark/provenance removal is unrelated to the core purpose of generating presentation images and can facilitate circumvention of attribution or authenticity signals, creating legal, policy, and trust risks.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The README documents a dedicated `gemini_watermark_remover.py` utility whose stated purpose is to remove provider-applied watermarks from AI-generated images. That capability is outside the stated presentation/SVG-generation scope and directly facilitates removal of provenance or attribution markers, which increases abuse potential rather than serving a normal formatting or export need.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A documented capability to remove Gemini watermarks is context-inappropriate for a presentation creation tool because it enables concealment of AI origin and potential violation of provider terms. In this skill context, the function is more dangerous, not less, because it can be seamlessly used in a content-production workflow to launder generated assets before presentation or redistribution.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is explicitly a utility to remove Gemini image watermarks, which falls outside the declared presentation/SVG generation purpose and enables circumvention of attribution or usage controls on generated media. In skill context, this is more dangerous because it is packaged as part of an otherwise legitimate creative toolchain, making misuse easier and less conspicuous.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The implementation operationalizes watermark removal by detecting watermark placement, reconstructing an alpha map, and reversing the blend to recover underlying pixels. This is not incidental functionality; it is purposeful content-provenance removal that can facilitate policy evasion, copyright/terms violations, and deceptive reuse of generated images.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a general-purpose web crawler and Markdown archiver, which is materially different from the declared presentation/SVG generation purpose of the skill. Capability drift like this expands the skill's attack surface and can enable unreviewed network access and data collection under a misleading package description.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code fetches arbitrary HTTP/HTTPS URLs and stores converted content locally without apparent domain restrictions, allowlists, or purpose checks. In the context of a presentation/SVG skill, this creates an unjustified external retrieval and archiving capability that could be abused for broad content acquisition or unexpected network access.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The image-processing path downloads and stores remote images referenced by crawled pages, adding secondary retrieval capability beyond simple page conversion. This broadens exposure to untrusted remote resources, increases data egress/ingress risk, and compounds the mismatch between the skill's stated purpose and its actual behavior.

Description-Behavior Mismatch

High
Confidence
84% confidence
Finding
The file implements broad web crawling and markdown export behavior that is materially different from the declared presentation/SVG generation purpose of the skill. Capability mismatch increases supply-chain risk because it introduces undocumented network access and content acquisition features that a user or reviewer would not reasonably expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code allows arbitrary outbound requests to user-supplied URLs, which is a meaningful capability for SSRF-like access, internal network probing, or retrieval of unexpected content depending on the runtime environment. In a presentation/SVG generation skill, this capability is weakly justified and therefore more suspicious and risk-prone than in a dedicated web-ingestion tool.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The function bulk-downloads and persists remote images from fetched pages, expanding the skill from content transformation into content acquisition and storage. This increases risk by enabling mass retrieval of remote assets, consuming disk/bandwidth, and storing untrusted files locally without clear relation to the stated presentation/SVG purpose.

Missing User Warnings

High
Confidence
97% confidence
Finding
The watermark-removal instruction is presented operationally and without any user-facing warning, legal notice, or policy restriction, normalizing potentially unlawful manipulation of generated media. The lack of disclosure makes the conduct more dangerous because an agent could perform it automatically as part of normal workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly recommends removing Gemini image watermarks via a dedicated remover tool as part of the normal workflow. This encourages bypassing provenance or platform-imposed markings and may facilitate policy, copyright, or terms-of-service violations by users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly recommends removing Gemini image watermarks and links to watermark-removal tooling without any warning about legal, contractual, or ownership implications. In a content-generation skill, this can normalize bypassing provenance or attribution controls and may encourage policy-violating or infringing use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs automatic splitting and writing of notes into files under the project directory without requiring explicit user confirmation or warning that files will be created or overwritten. In an agent setting, silent file modification can lead to unintended data loss, overwriting user-authored notes, or unanticipated workspace changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill provides direct instructions to run local Python tools that modify project outputs and transform files, but it does not require warning the user or obtaining approval before executing those tools. In agent workflows, this expands risk because local scripts may alter many files, consume resources, or have side effects that the user did not authorize.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger condition '需要生成 AI 图片时' is broad and may cause the role to be invoked in situations where image generation was not explicitly intended. Overbroad activation increases the chance of accidental tool use or unnecessary workflow execution, though it is more of a safety and predictability issue than a direct exploit path.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The independent-use trigger '直接说明图片需求' lacks clear phrases, boundaries, or confirmation requirements. This can lead to accidental activation and unintended generation steps, especially in multi-role systems where roles should be invoked only on precise signals.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill mandates writing `项目/images/image_prompts.md` with a file-writing tool but does not disclose that it will modify the user's workspace. Undisclosed file modification can surprise users, create trust issues, and in some environments lead to unintended changes to project state.

Missing User Warnings

High
Confidence
96% confidence
Finding
The automatic generation flow proposes calling external image-generation APIs without warning that prompts, project content, or derived data may be sent to third parties. This creates clear data exfiltration and privacy risks, especially when design documents contain confidential business or customer information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends third-party platforms such as Midjourney, DALL-E, Stable Diffusion, Gemini, and others, but does not warn about privacy, retention, licensing, or cross-border transfer risks. In a presentation-generation context, prompts may include sensitive project themes, product details, or internal strategy information, making this omission materially risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README presents watermark removal as a normal utility without any warning about legal, contractual, provenance, or trust implications. Even if the author intended convenience, documenting it without restrictions normalizes misuse and lowers friction for users to remove origin markers from generated media.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The docstring openly instructs users to remove Gemini-generated image watermarks, providing natural-language guidance for improper use even before examining the code. This makes the dangerous intent unambiguous and increases risk by encouraging end users to perform attribution-removal as a supported workflow.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
TLS certificate verification is explicitly disabled for page fetches, which makes HTTPS connections vulnerable to man-in-the-middle interception and tampering. An attacker on the network path can alter fetched HTML, influencing both the markdown output and subsequent image URLs that the tool follows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal