ClawHub

Pptx Anthropic

Security checks across malware telemetry and agentic risk

Overview

This PPTX skill mostly supports presentation workflows, but it includes under-disclosed Office-document capabilities and a native LibreOffice preload shim that deserve manual review before installation.

Install only if you are comfortable with a presentation skill that can run local Office tooling, modify document directories, and use a native LD_PRELOAD workaround for LibreOffice rendering. Prefer running it in a sandbox or disposable workspace, avoid feeding untrusted Office files unless you accept ZIP/XML parser risk, and review or remove the DOCX/XLSX and preload-shim paths if you only need PPTX support.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src = Path(tempfile.gettempdir()) / "lo_socket_shim.c"
    src.write_text(_SHIM_SOURCE)
    subprocess.run(
        ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["gcc", "-shared", "-fPIC", "-o", str(_SHIM_SO), str(src), "-ldl"], check=True, capture_output=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises no declared permissions while explicitly instructing use of shell commands, file reads/writes, and environment-dependent tooling. This creates a hidden capability gap: callers and policy layers may treat the skill as low-risk even though it can execute external programs and manipulate local files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is handling PPTX files, but the behavior footprint appears to extend into DOCX/XLSX processing and, more importantly, LibreOffice runtime manipulation via an LD_PRELOAD socket shim. Capability sprawl and hidden runtime interception are dangerous because they expand the attack surface beyond user expectations and can bypass trust boundaries or monitoring assumptions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This helper is explicitly DOCX-specific (`word/document.xml`, WordprocessingML run merging) but is packaged under a skill whose manifest says it should only be used for PPTX files. That scope mismatch is dangerous because an agent may invoke or expose unintended file-handling capabilities outside the declared trust boundary, leading to modification of Word documents when users or policy expect PPTX-only behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill manifest says this skill should be used specifically for PPTX-related operations, but this code also packs DOCX and XLSX files. That capability mismatch expands the skill's effective scope beyond what orchestration and reviewers may expect, which can lead to unintended handling of document types with different security and validation requirements. In this context, the mismatch is more dangerous because Office document processing is sensitive and format-specific, so hidden multi-format support undermines least-privilege assumptions for the skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The DOCX-specific redlining and author inference logic is unrelated to the declared PPTX purpose of the skill, indicating hidden functionality not reflected in the manifest. Extra document-manipulation features increase attack surface and may allow unexpected processing of tracked changes or metadata, especially if other components trust the manifest to understand what the skill can do. The skill context makes this more concerning because presentation handling should not silently include word-processing revision features.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This helper creates and injects an LD_PRELOAD library to alter libc socket behavior, which is a privileged and stealthy technique unrelated to ordinary presentation processing. In the context of a PPTX skill, that makes the behavior more suspicious and dangerous because it bypasses platform restrictions and executes arbitrary native code inside the target process.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements Word .docx redlining validation even though the declared skill scope is strictly for .pptx/PowerPoint handling. Capability drift like this is dangerous because it expands what the agent can process beyond user-declared expectations, increasing the attack surface and enabling document handling behaviors that may bypass policy, review, or least-privilege assumptions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The subprocess-based git diff feature is unrelated to the stated PowerPoint-only purpose and adds unnecessary execution capability to the skill. Even if this specific invocation is not command-injectable, introducing external tool execution where it is not needed broadens the runtime attack surface, creates environment-dependent behavior, and can be abused in a compromised or unexpected deployment context.

Vague Triggers

High
Confidence
88% confidence
Finding
The trigger guidance is extremely broad, activating on generic terms like 'deck,' 'slides,' or 'presentation' regardless of intended action. Over-broad invocation can route unrelated user requests into a powerful file/shell-capable skill, causing unnecessary file access, command execution, or processing of untrusted content.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
Using a hard-coded default author of "Claude" can silently misattribute edits when author inference fails, causing incorrect provenance in tracked changes. In document workflows, especially legal, compliance, or audit-sensitive contexts, false attribution can mislead reviewers and undermine trust in revision history.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The shim source and compiled shared object are stored at predictable names in the global temp directory, enabling symlink, clobbering, or pre-placement attacks by other local users or concurrent processes. Because the resulting .so is later loaded with LD_PRELOAD, a successful file-manipulation attack can lead to arbitrary code execution in the spawned soffice process.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The code extracts a user-supplied Office ZIP archive with zipfile.extractall() into a temporary directory without validating archive member paths, sizes, or symlink behavior. A crafted archive can potentially perform path traversal ('Zip Slip') or cause resource exhaustion during extraction, which is more concerning because this skill explicitly handles untrusted .pptx files from users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal