ClawHub

OpenMAIC Convert Pptx

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised OpenMAIC-to-PPT export, but its cleanup guidance can delete unrelated presentation files from the user's workspace.

Install only if you are comfortable running a local Node exporter against a trusted OpenMAIC directory. Before sharing a generated PPT, check whether speaker notes are included or use --no-notes. Do not use the wildcard cleanup command; delete only the exact generated file after confirming you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly instructs the agent to export course content into a PPT, include speaker notes by default, and send the generated file to the user, but it does not mention any need to verify authorization or warn that notes may contain sensitive/internal material. In an agent setting, this can lead to unintended disclosure of full course content, unpublished materials, or private speaker notes to an unauthorized requester.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that speaker notes are included by default, but it does not prominently warn users that exported PPT files may contain additional course/script content that could be unintentionally disclosed when the file is shared. This creates a real privacy and data-leak risk because users may assume the output only contains visible slides.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow instructs automatic deletion of generated PPT files from the workspace after sending, without clearly warning the user or requiring confirmation. This can cause unintended data loss, especially if the generated file is the only local copy or if multiple PPT files in the workspace match cleanup behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example workflow states that speaker notes are included by default and only asks whether they are needed after already framing inclusion as the default. Speaker notes often contain internal guidance, unpublished details, or sensitive commentary, so exporting and sharing them without a clear warning and opt-in can cause unintended data disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The best-practice guidance recommends deleting generated PPT files after sending them, but the example does not clearly warn the user or require confirmation before deletion. This can cause accidental data loss, especially if delivery fails, the user wants to retain a local copy, or the file is deleted before verification.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
ls ~/.openclaw/workspace/*.pptx

# 4. 清理测试文件(可选)
rm -f ~/.openclaw/workspace/*.pptx
```

**注意**:脚本会自动查找OpenMAIC安装位置,无需手动指定路径。如果OpenMAIC安装在非标准位置,可以使用`--openmaic-path`参数手动指定。
Confidence
92% confidence
Finding
rm -f ~/.openclaw/workspace/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal