ClawHub
Back to skill
v1.0.0

AI PPT generate

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:20 AM.

Analysis

The skill appears to do what it claims—generate PPTs through Baidu—but it requires a Baidu API key and sends your PPT content or resource links to Baidu.

GuidanceThis skill looks purpose-aligned and does not show hidden persistence, local data harvesting, or destructive behavior. Install it only if you are comfortable using Baidu/Qianfan for PPT generation, set BAIDU_API_KEY securely, and avoid submitting confidential documents or private URLs unless sharing them with Baidu is acceptable.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The skill's visible code is coherent and no install-time execution is declared, but the registry does not provide an upstream source or homepage for provenance review.

User impactUsers have less external context for verifying who maintains the skill before trusting it with a Baidu API key.
RecommendationVerify the publisher and code contents before installing, and prefer skills that provide a clear source repository or homepage.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Ensure the BAIDU_API_KEY environment variable is set with your valid API key.

The skill uses a provider API credential. That is expected for Baidu PPT generation, but the registry metadata says no required env vars or primary credential, so users may not notice the account/API access requirement before install.

User impactThe Baidu API key may authorize account usage, quota consumption, or billing for the Baidu Qianfan service.
RecommendationUse a dedicated, least-privilege Baidu API key where possible, keep it out of prompts and logs, and declare BAIDU_API_KEY in the skill metadata.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/ppt_generate.py
url = "https://qianfan.baidubce.com/v2/tools/ai_ppt/generate_ppt_by_outline" ... "query": query, "outline": outline ... if resource_url: params["resource_url"] = resource_url

The script sends the user's PPT topic, outline, and optional resource or template URLs to Baidu's remote API. This is core to the stated purpose, but it is a third-party data boundary users should understand.

User impactAny confidential topic text, outline content, document URL, image URL, or template URL provided to the skill may be processed by Baidu.
RecommendationOnly provide documents, resource URLs, and template URLs that you are allowed to share with Baidu, and avoid using sensitive private files unless your organization approves that use.