ClawHub

html-ppt

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent HTML/PPT report generator, but it needs review because its normal workflow can use the web, mutate persistent style files, and reference an undeclared local Node screenshot command without clear user control.

Install only if you are comfortable with web lookups, external font loading, and local file generation. Use a dedicated output folder, require confirmation before network access or overwrites, prevent writes into the installed skill directory, and do not run `node screenshot_batch.js` unless you have reviewed or supplied that script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill directs the agent to create new files under the skill directory when a style file is missing, which expands behavior from report generation into persistent modification of local resources. This is dangerous because user-triggered content generation should not mutate the installed skill or its reference corpus, and such writes could be abused to plant data, alter future runs, or violate sandbox and integrity expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file template requires `@import` from Google Fonts, introducing external network retrieval that is not necessary for core HTML report generation. This creates privacy and supply-chain risk because report rendering may contact third parties, leak usage metadata, fail unpredictably offline, or load unreviewed remote resources into generated output.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The workflow mandates using `web_search` to fetch external data before generating reports, which expands the skill from local HTML report generation into networked retrieval without clear user disclosure or tight scoping. This creates unnecessary external data exposure and capability creep, especially if user-provided topics or sensitive content are sent to third-party services during search.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow instructs execution of `node screenshot_batch.js` for verification, introducing subprocess/code execution beyond the core report-generation purpose. Running local scripts from the skill directory increases risk of arbitrary code execution if the script is modified, replaced, or contains unsafe behavior.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The checklist requires explicit user confirmation before HTML generation, directly contradicting the skill manifest's instruction to generate immediately without confirmation. This inconsistency creates ambiguous control flow that can cause the agent to either bypass intended consent gates or behave unpredictably, which is dangerous for a skill that produces potentially large, user-visible outputs and may trigger downstream actions without clear authorization.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
This section explicitly tells the agent to stop and wait for a user reply such as '继续' before generating HTML, which conflicts with the manifest's 'no confirmation needed' behavior. Conflicting operational instructions are a security risk because they undermine predictable safeguards and can lead to unauthorized generation or prompt-injection-style control over when the skill executes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file explicitly instructs the skill to perform WebSearch when a requested diagram is not present in the local library, which expands behavior beyond a self-contained HTML/PPT template generator into external data retrieval. This creates scope creep and can cause unreviewed network access, privacy leakage of user content, and nondeterministic outputs sourced from external sites.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documented search step is not clearly necessary for a built-in template report generator and therefore introduces unnecessary external capability. If triggered, user prompts or business concepts may be sent to third-party search providers, exposing sensitive information and increasing attack surface without a strong functional justification.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as a local HTML/PPT report generator, but its workflow mandates live network data lookups. This expands the skill's capabilities beyond user-visible expectations, creating a trust and data-handling mismatch that can cause unintended outbound requests and retrieval of untrusted external content.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented workflow allows creating new local design-system files when a style file is missing, even though the skill is described as a report generator rather than a file-mutating tool. Undisclosed local file creation can alter the workspace unexpectedly, introduce persistence, and be abused to plant or overwrite artifacts without informed user approval.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic network querying is not clearly necessary for a skill whose stated purpose is formatting user input into HTML pages. Unjustified network access increases the risk of prompt-data leakage, pulling in malicious or inaccurate content, and violating user expectations about local-only processing.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The workflow requires reading `check.txt` from the skill directory and using its contents as self-check instructions without transparency to the user. Treating local file contents as implicit instructions creates a prompt-injection/config-tampering surface, because whoever can modify that file can influence model behavior unexpectedly.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The workflow tells the skill to run `node screenshot_batch.js` without any user-facing warning, so the agent may spawn a subprocess silently. Hidden execution materially increases risk because users cannot assess or consent to local code execution, filesystem access, or indirect network behavior performed by the script.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger phrases are broad and the skill is configured to run immediately without confirmation, which makes accidental activation likely. In this skill, automatic activation is more dangerous because the workflow also includes network access and file creation, so a casual request to 'make HTML' could trigger unintended side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs network retrieval and file creation but does not warn users that these side effects may occur. Hidden side effects undermine informed consent and can expose sensitive input externally or modify the local environment unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal