ClawHub

Fast PPT

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill does what it says, but it uploads documents to a remote, unauthenticated HTTP service and returns externally hosted download links without clear consent, privacy, or retention guidance.

Install only if you are comfortable sending source documents to the pingPPT remote service and receiving results through external ppt.siping.me links. Avoid confidential, regulated, or sensitive documents unless the publisher documents HTTPS upload, retention, deletion, and link access controls, and consider requiring explicit confirmation before each upload.

SkillSpector (3)

By NVIDIA

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly states that documents/PDFs are processed by a remote service and that users receive a public-facing download link, but it does not warn that file contents are transmitted off-host, stored server-side, or potentially exposed via link sharing. In a document-conversion skill, this omission is security-relevant because users may upload sensitive business or personal documents without informed consent about privacy, retention, or access controls.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad natural-language phrases such as '改成ppt' and '做成幻灯片', which can plausibly appear in ordinary conversation and cause the skill to activate unintentionally. Because this skill uploads user files to a remote service, accidental invocation can lead to unintended external transmission of potentially sensitive documents, making overbroad triggering materially risky in this context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to send user-provided documents to a remote HTTP API and later return an external download link, but it does not require upfront user warning or consent about off-platform transfer. This is dangerous because users may reasonably assume local processing, and the use of a raw HTTP backend increases exposure to interception or mishandling of sensitive file contents during transit.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal