ClawHub

Generate Presentation

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it also includes an unexplained broad rsync permission and image tools that can read or write arbitrary absolute file paths.

Review before installing. Remove or ignore the packaged .claude/settings.local.json unless you intentionally want rsync preapproved, use a dedicated limited OpenAI API key, avoid confidential slide content or private images unless OpenAI/Azure processing is acceptable, and keep MCP image inputs and outputs constrained to a presentation workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This skill is for generating presentations, but the local settings grant Bash execution for rsync, which is not necessary for rendering markdown, fetching design docs, or exporting HTML/PDF. Allowing shell-backed file synchronization expands the attack surface and could enable unintended file copying, data exfiltration, or movement of local content if the skill or its inputs are abused.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The instructions authorize installing Python packages with pip if conversion fails, which modifies the local environment beyond the core task of generating slides. Unbounded package installation can introduce supply-chain risk, alter shared environments, and violate least-privilege expectations for a content-generation skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The server accepts an arbitrary --env-file path, reads it directly, and injects every parsed key/value into process.env without any allowlist, path restriction, or trust boundary. In an agent/tooling context this can let an attacker influence credentials, endpoints, runtime behavior, or proxy settings by pointing the skill at an attacker-controlled file, which is especially risky because the code also suppresses warnings that might otherwise signal misconfiguration.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The create-image tool permits writing generated image bytes to any absolute path supplied by the caller, with no sandboxing or directory allowlist. In an agent environment this is a dangerous arbitrary file write primitive: an attacker can overwrite user files, place content in sensitive locations, or abuse auto-selected output paths when large responses are silently switched from base64 to file output.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The edit-image tool accepts arbitrary absolute paths for image and mask inputs and then opens those files for upload to the OpenAI API. That creates a local file read and exfiltration primitive: if an attacker can influence tool arguments, they can cause sensitive local files to be accessed and transmitted off-host under the guise of image editing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that the skill uses OpenAI GPT Image models and analyzes user-supplied reference images, but it does not clearly warn that prompts, slide content, and possibly design/reference assets may be sent to a third-party API. In a presentation-generation context, users may provide confidential business plans, internal documents, or proprietary design materials, so lack of explicit disclosure creates a meaningful privacy and data-handling risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The README documents generated outputs under a presentation/ directory and mentions regeneration, but it does not clearly warn that running the skill writes files into the workspace and may overwrite or replace prior outputs. This can lead to accidental data loss or unintended modification of tracked project files, especially when agents operate autonomously.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill writes many outputs under `presentation/` and may overwrite existing files without prominently warning the user first. This is dangerous because it can destroy prior work products or create unexpected local artifacts, especially when the directory already exists or when inputs are regenerated multiple times.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill fetches arbitrary URLs and processes their contents without clearly warning the user that network access will occur. This can expose browsing intent, retrieve sensitive intranet or authenticated resources if the tool permits, and ingest untrusted remote content into downstream generation steps.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill requires `OPENAI_API_KEY` and instructs sending slide/image prompts to an external image-generation service, but it does not clearly warn that presentation content may leave the local environment. Because slide material may include confidential business information, this omission creates a meaningful data-exfiltration and privacy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to execute shell commands (`python3` and potentially `pip install Pillow`) without an explicit warning about subprocess execution or environment modification. Subprocess execution expands the attack surface, can fail unpredictably across systems, and may be abused to alter the host state in ways users did not anticipate.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool can automatically change behavior from returning data inline to writing files on disk when output exceeds 1MB, and it does so without an explicit confirmation step. In a user-facing agent workflow this surprises the caller and increases the risk of unintended filesystem modification, especially combined with caller-controlled or default temp paths.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The edit-image flow reads arbitrary absolute-path files and uploads their contents to a remote API without any explicit warning or consent checkpoint. In the context of an agent skill, this meaningfully increases danger because local file access is easy to disguise as normal tool use, turning the feature into a covert exfiltration path for sensitive host data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal