ClawHub

Pptx Master V1.2.3 20260507

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a PPT generation workflow, but it bundles several high-risk side tools such as watermark removal, self-updating, broad URL fetching, and flexible credentialed image-provider access.

Install only if you are comfortable with a presentation skill that can run local scripts, fetch web pages, use AI-provider API keys, and write project files. Avoid using the watermark-removal tool, review any use of update_repo.py before running it, keep .env files limited to the selected image provider, and process only trusted URLs, SVGs, and rotation task JSON files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill directs the agent to use shell commands, read and write project files, access environment-dependent paths, and fetch remote content, yet it declares no permissions. This creates a capability transparency failure: a user or hosting platform may authorize the skill under false assumptions, increasing the risk of unintended file modification, network access, or command execution when the workflow is invoked.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose is PPT generation, but the broader behavior includes external AI image generation across multiple providers, repository self-update and dependency installation, PPTX/template extraction, image processing, and maintenance utilities. That mismatch is dangerous because operators may approve a content-generation skill without realizing it can perform software changes, contact third-party services, or process additional sensitive assets beyond the expected workflow.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documentation explicitly advertises a `gemini_watermark_remover.py` tool for removing watermark assets, which facilitates circumvention of provenance or usage markings on generated images. In the context of a PPTX-generation skill, this capability is not necessary for legitimate presentation conversion and increases legal, policy, and trust risks by enabling misuse of third-party or provider-marked content.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file explicitly implements removal of a watermark from Gemini-generated images, which is unrelated to the declared PPTX/SVG conversion purpose of the skill. A hidden watermark-removal utility is suspicious because it facilitates circumvention of provenance, branding, or platform restrictions and indicates the skill may contain undeclared dual-use or policy-evading functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The operational code exposes a complete CLI workflow for stripping watermarks from images, making the capability directly usable rather than incidental. In the context of a presentation-generation skill, this hidden functionality is more dangerous because users or downstream agents could invoke it to launder generated media, bypass attribution, or violate provider terms without any legitimate need for core skill operation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The backend allows a caller to override the Gemini API endpoint via GEMINI_BASE_URL, which means both prompts and the GEMINI_API_KEY can be sent to any arbitrary host, not just Google's official API. In a skill that processes potentially sensitive user content for presentation generation, this creates a clear exfiltration and credential-leak path if the environment or configuration is influenced by an attacker or untrusted operator.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The file implements a general-purpose image generation dispatcher with many external AI providers, which does not align with the stated PPTX conversion skill scope. Scope mismatch is dangerous because it expands the attack surface, adds undocumented network-capable functionality, and may cause operators to grant credentials and permissions they would not expect for a PPTX conversion tool.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script is designed to discover and consume API credentials for numerous third-party image providers from both process environment and a project-root .env file, despite the advertised skill being about PPTX conversion. In context, this increases risk because unrelated credential harvesting or unintended exfiltration paths become available inside a skill users may trust with broader repository access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The project manager accepts arbitrary HTTP(S) URLs and fetches them via external converters, giving this local file-management helper network retrieval capability. In an agent skill context, this can enable SSRF-like access to internal resources, unexpected outbound requests, or ingestion of attacker-controlled content that is then processed by other tools.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fix workflow accepts paths from JSON tasks and explicitly permits absolute paths, then resolves relative paths through multiple fallback locations without enforcing that the final target stays within the intended project or images directory. If an attacker can influence fixes.json or trick a user into applying generated tasks, the script can overwrite arbitrary image files accessible to the user, causing unauthorized file modification outside the repo scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code resolves and opens image paths directly from untrusted SVG <image href> values without constraining them to an expected project directory. A crafted SVG can reference ../../ or absolute/encoded paths so the tool reads arbitrary local files as images, which can expose sensitive filesystem contents or cause the process to touch unintended files; in an agent workflow that processes user-supplied documents automatically, this increases risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This script updates the repository with git pull and conditionally runs pip install -r requirements.txt, giving the skill self-update and code/dependency installation capability unrelated to PPTX/SVG generation. If a remote repository, branch, or dependency source is compromised, running this script can fetch and execute unreviewed code in the local environment, substantially expanding supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The file implements a standalone web crawler and Markdown exporter that is broader than the advertised PPTX/SVG conversion role. Capability drift matters because users or higher-level agents may grant trust based on the manifest, while this script can fetch arbitrary URLs and persist remote content locally.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code downloads remote images referenced by processed pages and stores them locally, expanding the skill from format conversion into multi-stage crawling and persistence. In an agent setting, this increases exposure to untrusted remote data, disk consumption, and unintended retrieval of attacker-controlled resources.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
请直接输出 SVG 代码,不要包含其他解释。
"""
        
        return prompt
    
    def _enhance_content(self, svg_file: Path, issue_info: Dict) -> Tuple[bool, str]:
        """
Confidence
86% confidence
Finding
return prompt

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal