ClawHub

教案内容写入PPT备注

Security checks across malware telemetry and agentic risk

Overview

This skill performs local lesson-plan-to-PPT note updates as described, with cautions around automatic dependency installation and optional scheduling.

Install only if you want the agent to process the listed local course folders and create updated PPT copies. Preinstall python-pptx yourself if possible, review the files it plans to read and write, and enable any weekly automation only after confirming the target directory is correct.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print("正在安装 python-pptx 库...")
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "python-pptx", "-q"])
        print("安装完成!")
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "python-pptx", "-q"])

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script installs a package at runtime using pip when import fails, causing unreviewed code to be fetched and executed in the user's environment. Even though the package name looks legitimate, automatic dependency installation expands the attack surface through supply-chain risk, unexpected network access, and arbitrary code execution during package install.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Auto-installing a package is an environment-modifying action that is not strictly necessary for processing local DOCX/PPTX files at execution time. In a skill execution environment, this creates avoidable supply-chain and policy-bypass risk because the script can fetch and install code from external package repositories.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough that normal conversation like '更新PPT备注' could invoke the skill without sufficient disambiguation. In combination with file scanning and file creation behavior, ambiguous activation raises the risk of unintended filesystem operations on local teaching materials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly scans a local drive, locates documents, reads their contents, and writes updated PPT files, but the skill does not warn the user that it will perform these filesystem changes. Unannounced bulk file operations are risky because they may affect the wrong course folder, expose sensitive educational content, or create unintended modified copies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill proposes scheduled automatic execution every Monday without a user-facing warning or explicit safeguards for unattended file access and modification. Unattended runs increase danger because they can repeatedly scan and alter files without review, amplifying mistakes and making accidental data modification harder to detect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Invoking subprocess to run pip without explicit user confirmation performs a security-sensitive action silently. In this skill context, the expected task is local PPT processing, so undisclosed package installation and network-dependent behavior are less justified and can surprise users or violate locked-down environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The subprocess-based pip install occurs with only a generic progress message and no meaningful safety notice, consent flow, or description of the external network/environment changes being made. That makes the behavior risky in automated environments where users may not realize the skill is downloading and executing third-party package installation logic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal