ClawHub

Ai Ppt Generator 1.1.4

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses Baidu AI to generate PowerPoint files, with the main privacy consideration that submitted topics or content are sent to Baidu and the result may be hosted there.

Install only if you are comfortable using Baidu AI for the presentation content. Use a dedicated Baidu API key if possible, and avoid submitting secrets, regulated data, private documents, or confidential business material unless Baidu processing and a hosted PPT link are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill metadata declares required binaries and environment variables and the workflow clearly invokes Python scripts that will call an external API, but it does not declare corresponding permissions in a way that transparently informs the hosting agent/user about shell, network, and secret access. This creates a trust gap: a user may authorize or run the skill without understanding that their prompt content and API key will be used by executable code with outbound connectivity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description says it generates PPTs with Baidu AI but does not clearly warn that user-supplied topic/content is transmitted to an external third-party service. This can lead to unintentional disclosure of sensitive business, educational, or personal information if users assume processing is local or agent-internal.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits user-provided query content to Baidu's external API, and later also supports sending optional web_content, without any explicit notice, consent flow, or data-classification guardrails. In an agent skill context, prompts and supplied content may contain sensitive business, personal, or credential-bearing data, so silent transmission to a third party creates a real privacy and data-governance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
outline = ""
    chat_id = ""
    query_id = ""
    with requests.post(URL_PREFIX + "generate_outline", headers=headers, json=params, stream=True) as response:
        for line in response.iter_lines():
            line = line.decode('utf-8')
            if line and line.startswith("data:"):
Confidence
94% confidence
Finding
requests.post(URL_PREFIX + "generate_outline", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"web_content": web_content,
        "enable_save_bos": True,
    }
    with requests.post(URL_PREFIX + "generate_ppt_by_outline", headers=headers, json=params, stream=True) as response:
        if response.status_code != 200:
            print(f"request failed, status code is {response.status_code}, error message is {response.text}")
            return []
Confidence
96% confidence
Finding
requests.post(URL_PREFIX + "generate_ppt_by_outline", headers=headers, json=

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal