ClawHub
Back to skill

Security audit

revol-presentation-html-generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent presentation/article generator, with ordinary template and rendering risks but no evidence of hidden exfiltration, persistence, or destructive behavior.

Before installing, be aware that generated presentations may load scripts and styles from public CDNs when opened, so use offline or vendored assets for sensitive environments. Also specify the desired output language and review generated files before sharing them, especially if the skill summarized private project content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template pulls executable JavaScript and stylesheets from public CDNs at runtime, including Reveal.js, Mermaid, and MathJax. This creates a supply-chain and network-trust risk: if a CDN response is compromised, blocked, or unexpectedly changed, opening the generated presentation can execute untrusted code in the viewer's browser, which exceeds the minimal local rendering expected from a content-generation skill.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill hard-codes Chinese as the default output language without checking the user's preference or documenting a locale requirement. This can cause unintended language switching, reduce usability, and in some contexts lead to misunderstandings or incorrect downstream use of generated technical content, though it is not a direct code-execution or data-exfiltration issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal