ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QoderWork PPT (Jack)

Generate QoderWork-style presentations. Automatically matches 14 templates based on your topic and outputs an editable .pptx file.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 23 · 0 current installs · 0 all-time installs
by@Jackwang2999
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the shipped templates, rules, and Node scripts. Required artifacts (HTML templates, manifest, validation/fill/convert scripts) are appropriate and proportional to generating PPTX output.
Instruction Scope
Runtime instructions stay within the PPT-generation workflow (create output/, generate content.md, build slides.json, run provided node scripts). They do instruct the agent to call helper tools like generate_image or web_search for some image slots — those are plausible for image acquisition but are not defined in the skill and may cause network/API activity outside the skill. The instructions also require running npm and node scripts (which will execute code in the skill directory).
Install Mechanism
No automated install spec is embedded; user is told to run npm install in the skill directory. That is expected but means npm will fetch packages (puppeteer downloads Chromium, etc.). This is normal for Node tools but carries the usual network/third-party-package risk — review package.json and package-lock before installing.
Credentials
The skill declares no required environment variables, credentials, or special config paths. The only implied external needs are optional image generation/web search calls (which could require API keys depending on how your agent implements generate_image/web_search), but nothing in the skill asks for unrelated secrets.
Persistence & Privilege
always is false and the skill does not request elevated or system-wide persistence. It writes files under the project workspace (output/) which is expected for a generator. It does not modify other skills or global configs.
Scan Findings in Context
[base64-block] expected: The skill's templates and filled HTML embed many data:image/...;base64 blobs (backgrounds and sample images). The scanner flagged base64-block, but base64 images are expected in offline HTML templates and are not by themselves malicious. Still review large embedded blobs if you need to verify origin.
Assessment
This skill appears to do what it says, but take these precautions before running: 1) Inspect package.json and package-lock.json to confirm dependencies and any postinstall scripts; 2) Run npm install and the pipeline in an isolated environment (or sandbox) because Puppeteer will download/launch Chromium and node modules will execute code; 3) Confirm how your agent supplies generate_image / web_search (these are not defined in the skill) and whether they will call external APIs that require keys — provide credentials only if you trust the image provider; 4) If you need to be extra cautious, open the scripts (scripts/*.js) and search for network endpoints, exec/child_process usage, or unexpected file-system paths before executing; 5) Expect the skill to write output files under the working directory (output/ and output/images/) and avoid running it from sensitive system root paths.
pptx/scripts/run-pipeline.js:54
Shell command execution detected (child_process).
!
pptx/scripts/fill-template.js:9
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97cm7n09bm4aq3sj278dvfq6n83bzgd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

QoderWork-PPT

When a user wants to generate a QoderWork-style presentation, use this skill. Based on the user's topic and requirements, it automatically generates content, matches suitable templates, and outputs an editable PowerPoint file.

Execution Flow

0. Prepare output directory

Create the output directories if they don't exist:

mkdir -p output output/images

1. Understand requirements & generate content document

Read rules/content-rules.md (in this skill directory), then convert the user's requirements into a structured content document at output/content.md.

  • Extract from user input: topic, audience, key points, page count preferences, etc.
  • Generate a well-structured plain-text document following content-rules
  • Content should be complete, logically clear, and ready for template matching
  • CRITICAL — page budget: unless the user explicitly requests more, plan for 8–15 slides total (including cover, TOC, section dividers, and closing). Count your planned slides before proceeding to step 2. If the outline exceeds 15, merge or cut sections.

2. Match templates & generate slide sequence

Read rules/template-matching.md and templates/manifest.json, then generate output/slides.json based on content.md.

  • slides.json array length MUST be ≤ 15 (unless the user explicitly requested more). Count before writing the file.
  • Format per slide: { "templateId": "xxx", "slots": { "slotId": "value", ... } }
  • A full example (one slide per template type) is available at rules/slides-example.json — copy and adapt it
  • Strictly follow template-matching rules; slot values must conform to manifest constraints (type, maxLength, etc.)

Cover background:cover 模板的 coverBackground 槽位勿主动填写,使用模板默认背景。仅当用户明确要求自定义封面图时才填。

Section-divider 插图:03 章节分隔页右侧的 image 槽位尽量勿填,使用模板默认插图。仅当用户明确要求更换章节配图时才填。

Image slots (type: image) accept any of:

FormatExampleWhen to use
lucide:<icon-name>lucide:shield-checkIcon-style images (preferred for column cards in 06/07/08)
Image URLhttps://example.com/photo.jpgWeb images
Local pathoutput/images/slide-03.pngAfter generating/saving an image locally

When you must generate/search for real images: slots marked aiGeneratable: true that need a real photograph or illustration (not an icon) — typically section-divider image, content-left-text-right-image image, and full-image background. Call generate_image or web_search to obtain them, save to output/images/, and fill the path into slots. These image slots are required — do NOT leave the default placeholder.

3. Fill HTML templates

Working directory (cwd): must be the project root (where output/ lives).

Script path: relative to this skill directory. Replace SKILL_SCRIPTS below with the actual path (e.g., resources/skills-market/qoderwork-ppt/scripts if using this repo as workspace, or ~/.qoderwork/skills/qoderwork-ppt/scripts if installed from market).

Optional — validate first:

node SKILL_SCRIPTS/validate-slides.js output/slides.json

Then fill templates (or use the one-click pipeline below):

node SKILL_SCRIPTS/fill-template.js output/slides.json

Recommended — one-click pipeline (steps 3+4 combined):

node SKILL_SCRIPTS/run-pipeline.js output/slides.json

Output file is auto-named with a timestamp (e.g. output/presentation-2026-03-06-10-30-00.pptx) to avoid overwriting previous runs.

4. Convert to PPTX

If you didn't use the one-click pipeline above, run separately:

node SKILL_SCRIPTS/html-to-pptx-dom.js output/filled

Reads filled HTML from output/filled/, renders via Puppeteer, and converts to PPTX using dom-to-pptx — preserving background images, rounded corners, fonts, and full styling.

5. Inform the user

Tell the user the PPT has been generated at output/presentation.pptx, with a brief summary of page count and structure.

Resumability (Agent checkpoint recovery)

  • Step 1: If output/content.md already exists and the user didn't ask to "regenerate content", skip to step 2.
  • Step 2: Always (re-)generate output/slides.json from content.md.
  • Step 3+4: If only slides.json changed, just re-run run-pipeline.js (overwrites output/filled/ and output/presentation.pptx).

Key Files (in this skill directory)

FilePurpose
rules/content-rules.mdContent generation rules & document structure
rules/template-matching.mdTemplate matching rules & image slot conventions
rules/slides-example.jsonFull slides.json example (one slide per template type)
templates/manifest.json14 template definitions with slot specs
templates/*.html14 HTML template files (1920×1080)
scripts/validate-slides.jsPre-validation for slides.json
scripts/fill-template.jsFills slot values into HTML templates
scripts/html-to-pptx-dom.jsHigh-fidelity HTML → PPTX conversion
scripts/run-pipeline.jsOne-click: validate → fill → convert

Output Files (in project root output/)

FilePurpose
output/content.mdIntermediate: structured content
output/slides.jsonIntermediate: slide sequence + slot values
output/images/Generated/downloaded images for slides
output/filled/*.htmlFilled single-page HTML files
output/presentation.pptxFinal PowerPoint file

Dependencies

Before first use, install dependencies in this skill directory:

cd <path-to-this-skill-directory> && npm install

Required packages: jsdom, puppeteer, dom-to-pptx, lucide-static. Icons are loaded from local lucide-static (no network at runtime).

Files

39 total
Select a file
Select a file to preview.

Comments

Loading comments…