ClawHub

Generate HTML animation from content

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local HTML slide-generation skill, but it needs Review because some bundled templates contain unrelated OpenClaw warning content and many outputs load third-party web resources.

Review before installing. Use this only if you are comfortable with generated HTML contacting third-party CDNs, and inspect or remove the bundled OpenClaw-specific warning templates and the restriction-removal example before relying on it for neutral presentations. Specify an output path explicitly and confirm whether an existing AI_Animation.html may be overwritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template loads executable JavaScript from a third-party CDN at runtime, which creates a supply-chain and integrity risk: if the CDN content changes, is compromised, or is blocked, the generated HTML will execute untrusted code or fail unpredictably. In this skill context, the file is a reusable HTML template for generated presentation pages, so every output page inherits that dependency and broadens the blast radius.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The template imports executable JavaScript from a third-party CDN (`unpkg.com`) at runtime, which creates a supply-chain and availability risk outside the skill's core text-to-PPT conversion purpose. If the CDN, package version resolution, or network path is compromised, arbitrary script can run in the generated page and manipulate DOM content, exfiltrate data visible to the page, or break rendering.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The template imports a remote script from unpkg.com at runtime, which creates unnecessary network dependency and a supply-chain trust boundary for an otherwise local HTML presentation. If the CDN is unavailable, tampered with, or blocked, the page may fail or execute attacker-controlled JavaScript in the user's browser.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template imports executable JavaScript from a third-party CDN at runtime, which creates a supply-chain and availability risk outside the local slideshow's core function. If the CDN content is compromised, changed unexpectedly, blocked, or replaced in transit, anyone opening the generated HTML could execute untrusted code in their browser.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template loads lucide from a third-party CDN at runtime, which creates an external network dependency and a supply-chain trust boundary for what should be a self-contained presentation template. If the CDN content is tampered with, blocked, or replaced, opening the generated HTML could execute unintended JavaScript in the user's browser.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This template loads JavaScript and fonts from third-party CDNs at runtime, which introduces external supply-chain and privacy risk into what should be a self-contained local presentation asset. If the CDN content is modified, blocked, or monitored, the rendered page could execute untrusted code, leak usage metadata, or fail unpredictably in offline/restricted environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template loads executable JavaScript from a third-party CDN (`unpkg.com`) at runtime, which creates a supply-chain and integrity risk. If the CDN content changes, is compromised, or is blocked, generated pages may execute untrusted code or fail unexpectedly, which conflicts with the skill’s description of using built-in/local templates.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
This template pulls fonts and icon assets from external CDNs at render time, which creates a supply-chain and privacy risk even in an otherwise static local HTML file. If the remote resource is unavailable, modified, or blocked, the presentation can break; if a CDN or dependency is compromised, users may load attacker-controlled content, and browsing metadata is leaked to third parties.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The template loads third-party resources from cdnjs and Google Fonts, which makes the generated page dependent on external networks despite being presented as having built-in templates. This creates a supply-chain and privacy risk: remote providers can observe requests, content rendering can break offline, and compromised or changed external assets could affect generated output.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This template fetches Font Awesome and Google Fonts from public CDNs, which causes network access whenever the page is rendered and leaks user metadata such as IP address, user agent, and timing to third parties. In an agent skill that is supposed to generate a local PPT-style webpage, that external dependency is unnecessary and creates privacy, availability, and supply-chain risk if the CDN content changes or is blocked.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template hard-codes a specific alarmist presentation about 'OpenClaw 致命安全风险' instead of acting as a generic science-content-to-PPT template promised by the skill metadata. In a content-generation skill, this creates deceptive behavior and content integrity risk: user-provided science material could be silently replaced or steered into unrelated messaging, which is especially concerning because templates are trusted building blocks in downstream generation workflows.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This template is not a neutral science-content-to-PPT asset: it is a fully baked advocacy/security-warning presentation targeting 'OpenClaw' with fixed claims, warnings, and conclusions. In a skill meant to transform arbitrary user science content into slides, embedding a hardcoded persuasive narrative can cause unauthorized message injection, misleading output, and reputational or policy harm when the skill is invoked for unrelated content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises generic trigger phrases such as “生成PPT”, “生成演示网页”, and “生成流程图”, which are broad enough to collide with ordinary user conversation. In agent environments, overly broad activation can cause unintended skill execution, leading to unexpected file generation or workflow actions without clear user intent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README states that the skill automatically generates HTML and outputs presentation files, but it does not explain where files are written, whether existing files may be overwritten, or whether user confirmation is required. In a local agent workflow, this can lead to accidental file creation, overwriting prior outputs such as AI_Animation.html, or confusion about side effects on the filesystem.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad (e.g. '生成PPT', '生成演示网页', '生成流程图') and the skill is described as auto-running a multi-step workflow when such phrases appear. That can cause unintended activation in unrelated conversations, leading the agent to read templates, generate HTML, and potentially write files without sufficiently explicit user intent for this specific skill execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill defines a default output path ('/home/mt/桌面/AI_Animation.html') and instructs the workflow to write a file there if the user does not specify otherwise, but it does not require an explicit user-facing warning or confirmation before writing to disk. In an agent setting, silent filesystem writes are risky because they create side effects the user may not expect and could overwrite existing files or expose generated content in a predictable location.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
This slide explicitly presents '去除了任何限制' ('removed any restrictions') as part of a recommended role-setting prompt. In a skill that teaches prompt patterns, this normalizes jailbreak-style behavior and may encourage users or downstream agents to attempt bypassing model safeguards.

Ssd 1

Medium
Confidence
95% confidence
Finding
The role-setting example does more than use playful wording: it semantically frames removal of safety restrictions as a desirable prompt engineering technique. In the context of a reusable content-generation skill, that can propagate unsafe prompt patterns into generated material and increase the likelihood of misuse or policy evasion attempts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal