ClawHub

Sum2Slides

Security checks across malware telemetry and agentic risk

Overview

The skill’s core text-to-PowerPoint function is plausible, but its documentation and helper scripts encourage automatic processing and sharing of potentially sensitive chat or meeting content without clear consent controls.

Review this skill before installing in a team or chat environment. Keep automatic triggers and auto-save disabled unless tightly scoped, require confirmation before processing chat history or meeting notes, remove the hardcoded Feishu owner ID, and disable shared-folder, Slack, or email distribution unless explicitly approved for the content being converted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The report hardcodes a concrete Feishu owner_open_id while simultaneously claiming there is no hardcoded sensitive data. Even if the identifier is not a secret credential, it is still persistent user-linked data and the document instructs operators to reuse it for cloud document ownership, which can expose identity information and cause misdirected document creation or privacy issues.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script’s advertised purpose is to generate a demo presentation, but its main flow also performs an additional file-distribution action by copying the generated PPTX into a Samba shared folder. In an agent/skill context, hidden side effects that move data to a shared location can expose generated content to unintended users or systems, especially if the slide content later includes sensitive material.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script’s stated purpose is to generate a local demo PPT, but it also copies the generated file into a Samba shared folder without clearly documenting that side effect or asking for confirmation. In an agent skill context, undisclosed file copying to a network-accessible location can leak generated content or metadata outside the expected execution boundary, especially if future inputs contain sensitive discussion summaries.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script presents itself as a security scanner and prints trust-inducing conclusions such as the project being safe or ready to upload, but it performs only shallow checks and omits substantive security validation. This can mislead operators into relying on a false sense of assurance, causing vulnerable code to be distributed or approved.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code labels this phase as a Python security check but only scans the first 10 Python files, creating intentional blind spots. In a larger project, malicious or vulnerable files placed later in traversal order would be skipped while the tool still reports reassuring results.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The final messaging states the project is ready to upload based on incomplete checks focused largely on file presence, formatting, and simple regex matching. This overstates the security posture and can influence users to publish software without proper review.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The document advertises 'keyword trigger/automatic keyword trigger' without defining the exact trigger phrases, scope, or guardrails. In a chat-integrated skill, ambiguous auto-trigger behavior can cause unintended activation on ordinary conversation content, which may process sensitive discussion text or produce actions the user did not explicitly request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase describing 'multiple trigger methods' including 'automatic keyword triggering' is underspecified and does not bound when automatic activation occurs. In the context of an OpenClaw/chat workflow skill that summarizes discussions into PPTs, this increases the risk of accidental invocation from normal messages and unintended ingestion of potentially sensitive group-chat content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file embeds a specific user ID and gives operational instructions to create or write Feishu documents using that identifier, but provides no privacy notice, consent requirement, or data-handling guidance. In a skill context, this increases the chance that an agent or operator will reuse personal identifiers blindly and send content to the wrong owner or process personal data without authorization.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The guide recommends broad auto-trigger behavior based on common keywords like '会议纪要', '报告', '演示', and '幻灯片', which can cause the skill to activate on ordinary conversation rather than an explicit user command. In a skill that generates files and can participate in downstream workflows, unintended invocation can process sensitive user content and create artifacts without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented workflows automatically generate presentations, save them to disk, copy them to shared folders, and send notifications or email attachments, but do not describe user consent, privacy review, or data classification checks. If meeting notes, daily reports, or chat/email-derived content contain sensitive information, the skill can amplify exposure by persisting and distributing that data across Slack, email, or shared storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The configuration examples enable auto_trigger and auto_save and define output directories and keywords, but do not warn that user content may be automatically processed and written to disk. In practice, this can create unanticipated local persistence of sensitive content, increasing the risk of disclosure through backups, shared machines, indexing, or later workflow actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The examples show very broad triggers such as converting 'the above discussion' into a PPT without defining scope limits, redaction expectations, or exclusions for confidential content. In a chat environment, this can cause the skill to ingest and re-present more conversation history than the user intended, increasing the chance of exposing sensitive internal discussions in generated slides.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is documented as summarizing chat discussions into presentation material but does not warn users that this may process sensitive conversation content and reproduce it in a more shareable format. That omission is risky because users may invoke it in group chats containing confidential project, personnel, or business information, leading to unintended disclosure through the resulting PPT.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code copies output to a Samba share automatically without any warning, consent, or runtime confirmation. In a skill environment this creates an implicit exfiltration path from a local generation task to a network-accessible/shared location, which is risky if users assume the artifact stays local or if the share has broader access than expected.

Ssd 3

Medium
Confidence
95% confidence
Finding
The document explicitly instructs reuse of a specific user identifier when creating a cloud document, which operationalizes a hardcoded personal identifier inside an agent workflow. This is risky because it can bind documents to the wrong account, expose user-linked metadata, and normalize unsafe copying of identifiers across environments.

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx>=0.6.21
markdown>=3.4.4
pydantic>=2.0.0
click>=8.1.0
Confidence
95% confidence
Finding
python-pptx>=0.6.21

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx>=0.6.21
markdown>=3.4.4
pydantic>=2.0.0
click>=8.1.0
pyyaml>=6.0
Confidence
95% confidence
Finding
markdown>=3.4.4

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx>=0.6.21
markdown>=3.4.4
pydantic>=2.0.0
click>=8.1.0
pyyaml>=6.0
Confidence
95% confidence
Finding
pydantic>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-pptx>=0.6.21
markdown>=3.4.4
pydantic>=2.0.0
click>=8.1.0
pyyaml>=6.0
Confidence
93% confidence
Finding
click>=8.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
markdown>=3.4.4
pydantic>=2.0.0
click>=8.1.0
pyyaml>=6.0
Confidence
98% confidence
Finding
pyyaml>=6.0

Known Vulnerable Dependency: markdown — 2 advisory(ies): CVE-2025-69534 (Python-Markdown has an Uncaught Exception); CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se)

High
Category
Supply Chain
Confidence
73% confidence
Finding
markdown

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
90% confidence
Finding
pydantic

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
pyyaml

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal