ClawHub

Deck Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local deck translation and polishing workflow, but users should run it on copies because it can edit presentation and spreadsheet files.

Install only if you are comfortable letting it read and modify local deck and spreadsheet files. Use copies for important or confidential presentations, confirm output paths before writes, close PowerPoint/Excel before running it, and consider pinning dependencies in a virtual environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger conditions are broad enough to match many ordinary deck-editing or translation requests, which can cause the skill to activate when the user did not explicitly intend to invoke this workflow. In an agent setting, unintended invocation matters because this skill performs multi-stage document processing and file writes, increasing the chance of unexpected edits or workflow hijacking.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Phrases like 'just polish', 'format only', or 'skip translation' are common conversational language and can overlap with routine user instructions unrelated to this specific skill. That ambiguity raises the risk of accidental activation, which is especially problematic here because the skill may proceed into document modification and overwrite behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Defaulting to overwriting the original file creates a direct data-loss risk, particularly in an automated skill that edits presentation and companion files. The lock-file check helps with concurrent access, but it does not protect against user mistakes, partial corruption, bad transformations, or irreversible loss of the pre-edit source.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal