Huo15 Openclaw Ppt

Security checks across malware telemetry and agentic risk

Overview

This PPT skill is broadly useful, but it should be reviewed carefully because several document and deck workflows can send full user content to external AI providers despite local-privacy claims.

Install only if you are comfortable with PPT prompts, imported documents, slide text, URLs, and speaker-note inputs being sent to configured third-party AI providers. Avoid using it on confidential or regulated files unless you control the provider settings, disable remote workflows, and review output paths and local caches first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 用 print-to-pdf 全 deck 一张 PDF，再 pdftoppm 拆 PNG pdf_path = output_dir / 'preview.pdf' subprocess.run([ chrome, '--headless', '--disable-gpu', '--no-sandbox', '--print-to-pdf=' + str(pdf_path), '--print-to-pdf-no-header',
Confidence: 95% confidence
Finding: subprocess.run([ chrome, '--headless', '--disable-gpu', '--no-sandbox', '--print-to-pdf=' + str(pdf_path), '--print-to-pdf-no-header', '--virtual-time-budget=2000',

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The documented scope extends well beyond simple PPT generation into content ingestion, publication, rewrite pipelines, and media export. In a skill ecosystem, this kind of scope inflation is security-relevant because it increases the attack surface and makes it harder for users and reviewers to understand when data may be fetched, transformed, or exposed externally.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document claims local execution, privacy, and zero cloud dependency, yet elsewhere it instructs users to provide API keys and use external LLM/API providers. This is dangerous because users may process contracts, financials, or other sensitive documents believing they remain local when the skill can send them to third-party services.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The helper performs outbound network calls and uses API credentials, but the surrounding skill metadata/manifest reportedly does not reflect those capabilities. In an agent setting, this can undermine user trust and consent because prompts may be sent to third-party services and local environment secrets may be accessed without clear declaration.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script expands its attack surface by invoking multiple external executables, including a browser, document converters, and helper scripts, on potentially untrusted deck-derived content. In this context, the risk is heightened because the skill is described as PPT generation, so users may not expect local execution of renderers and analysis tools with their associated parser vulnerabilities.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The script saves output to a hard-coded user-specific absolute path without using a controlled output contract. In an agent/skill context, this can cause unintended file writes, overwrite existing files, leak operator usernames or filesystem layout, and bypass caller expectations about where artifacts should be stored.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script extracts arbitrary Word document contents and sends them to an external Claude API without any in-code trust boundary, redaction, or explicit consent flow. In a PPT-generation skill marketed around templates and design packs, this is more dangerous because users may reasonably assume local formatting work rather than third-party transmission of potentially sensitive document contents.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: In rewrite mode, the code serializes all extracted slide text and transmits it to Anthropic. If users run this on confidential or regulated presentations, sensitive content may be disclosed to an external service without strong in-code consent gates, redaction, or tenancy controls. In a PPT styling skill, this capability increases risk because presentations often contain business secrets, internal roadmaps, or personal data.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script transmits the full deck JSON to Anthropic for rewriting, which is an external data egress path not evident from the skill's stated local PPT-generation purpose. If decks contain confidential business content, customer data, or internal strategy, users may unknowingly disclose sensitive information to a third-party service.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill reads Anthropic credentials from the environment and uses them to perform remote LLM calls, expanding its trust boundary beyond presentation rendering into third-party API access. In a skill ecosystem, this is security-relevant because it enables outbound communication and use of host-provided secrets without clearly matching the declared capability surface.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script depends on fixed local asset paths under /tmp and writes output to a hard-coded user-specific absolute path, which can expose or overwrite files outside an expected skill workspace. In an agent environment, this broad filesystem access pattern is risky because it assumes sensitive host paths are available and can cause unintended disclosure, dependency on attacker-controlled temp files, or modification of user data without consent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script sends slide text to Anthropic's external API for rewriting, which introduces a real data exfiltration/privacy risk if decks contain confidential business, customer, or regulated information. In this skill context, PPT content often includes internal strategy and unpublished material, making undisclosed third-party transmission more sensitive than ordinary formatting logic.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This script adds a capability beyond the declared skill scope: it extracts slide text, sends it to an LLM, and writes generated speaker notes back into the PPTX. Scope expansion matters because users may invoke a PPT styling/generation skill without expecting document content to be processed for hidden notes generation, creating consent, privacy, and governance risks.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code sends all extracted slide text to Anthropic via `client.messages.create`, which is a real data egress path to a third-party service. If slides contain confidential business data, personal data, or regulated content, this can cause unauthorized disclosure, especially since the skill description emphasizes local PPT generation/styling rather than external content processing.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script can fetch arbitrary user-supplied URLs, which expands the skill from PPT generation into a network-capable content retriever. In agent or hosted environments, that can be abused for server-side request forgery against internal services, cloud metadata endpoints, or other network resources reachable from the runtime.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script sends fetched webpage content to an external LLM backend, but this behavior is not disclosed in the skill description. That creates an unannounced data egress path where imported content, potentially including sensitive or proprietary text, is transmitted to a third-party service.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script sends extracted XMind content directly to an external LLM service via call_claude(full_prompt). Mind maps often contain internal strategy, customer data, credentials, or other sensitive notes, so automatic transmission to a third party creates a real confidentiality and compliance risk.

Vague Triggers

High

Confidence: 89% confidence
Finding: The trigger phrases are extremely broad, including generic terms like 'PPT', '做 PPT', '继续', and page-related language that can appear in ordinary conversation. Overbroad activation can cause the skill to run unexpectedly, which is especially risky here because the documented functionality includes file access, network calls, cloud LLM processing, and content transformation.

Vague Triggers

High

Confidence: 87% confidence
Finding: The manifest-level description advertises many ambiguous trigger phrases without any activation constraints, making accidental or silent invocation more likely. Because this skill can touch local content and external providers, accidental activation could expose user data or modify artifacts when the user merely mentioned a style or presentation term conversationally.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: User-supplied prompt text is transmitted to external image-provider APIs without any explicit warning, consent flow, or data-minimization step. In a PPT-generation context, prompts may contain confidential business plans, personal data, or proprietary product details, so silent disclosure to third parties is a meaningful privacy and compliance risk.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: Writing a file to a fixed path without confirmation or prior notice can create side effects the caller did not authorize. In a skill environment, silent writes are more dangerous because they may alter local state unexpectedly and overwrite prior outputs in a predictable location.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Extracted document content is transmitted to an external LLM service without any visible warning, consent prompt, or data-handling notice. This creates a real privacy and confidentiality risk, especially because imported Word files often contain internal business, personal, or regulated information and the skill description does not emphasize remote content sharing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script extracts full PDF text and sends it to an external LLM service without an explicit consent step, privacy warning, redaction, or data-classification check. In a PPT-generation skill, users may process confidential reports, contracts, or internal strategy documents, so silent transmission to a third party can cause data leakage and compliance violations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code sends the entire deck payload to an external API without any visible warning, consent flow, or selective redaction. This creates a meaningful privacy and confidentiality risk because decks commonly contain proprietary text, financial figures, roadmap details, or personal data.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Writing a PPTX to a fixed user-specific path without confirmation can overwrite existing files or create files in a location the user did not intend. In a local agent skill context this is a real safety issue because side effects occur automatically on the host filesystem, even though the impact is usually limited to integrity/UX rather than full compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal