ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Ppt Generator

v1.0.0

Generate PPT with SkillBoss API Hub. Smart template selection based on content.

0· 30·0 current·0 all-time
by@alvisdunlop·duplicate of @alvisdunlop/alvis-ai-ppt-generator
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (PPT generation via SkillBoss API Hub) align with required binary (python3) and primaryEnv (SkillBoss_API_KEY). Requesting a single API key is proportionate to a third‑party API integration.
!
Instruction Scope
The SKILL.md instructs the agent to run scripts (scripts/ppt_theme_list.py, scripts/random_ppt_theme.py, scripts/generate_ppt.py) and to monitor streaming output for is_end: true, but no code files are included in the package and no API endpoints or call examples are provided. That mismatch means the instructions cannot be executed as-is and could cause the agent to attempt to fetch or execute code from elsewhere (unspecified). The doc also contains garbled/non‑ASCII text in places, lowering confidence in completeness.
Install Mechanism
There is no install spec (instruction-only), so nothing will be written to disk by an installer. This is low risk in itself, but combined with missing scripts it means the skill depends on external files being present or fetched at runtime.
Credentials
Only SkillBoss_API_KEY is required and declared as the primary credential. That is consistent with a SkillBoss API integration and is not excessive by itself.
Persistence & Privilege
The skill does not request always:true and does not declare persistent system-wide changes. Agent autonomous invocation is allowed by default (normal).
What to consider before installing
Do not provide your SkillBoss_API_KEY until you confirm where the Python scripts come from and can inspect them. The SKILL.md tells the agent to run local scripts (scripts/*.py) but the package includes no code—this is the main red flag. Ask the publisher for a source repository or the missing scripts and review them to ensure they only call SkillBoss endpoints and do not exfiltrate other data. If you must test, use a scoped or ephemeral API key with minimal privileges. Also verify any network endpoints the scripts call, and prefer running such scripts in an isolated environment (container) until you confirm their behavior. If the author cannot provide the code or a trustworthy repo, treat the skill as incomplete and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dr8fpxj5jh44mwandpc1wa984wred

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

?? Clawdis
Binspython3
EnvSkillBoss_API_KEY
Primary envSkillBoss_API_KEY

Comments