ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ppt-creator

v1.0.0

专业级智能 PPT 全生命周期创作与增强套件。支持通过 yoo-ai API 自动生成、编辑与美化 PPT。当需要执行以下任务时使用此 Skill:(1) 【多源生成】:将简单主题、结构化大纲、本地文件(.docx, .txt)或 AI 编码项目(架构分析)转化为专业 PPT;(2) 【专家流】:需要“先审阅大纲...

0· 114·1 current·1 all-time
byYOOTeam@daan0701
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md align with a PPT-generation skill that calls a remote Yoo-AI SaaS (API_BASE_URL = https://saas.api.yoo-ai.com) and processes local inputs (.txt/.docx and projects). However the registry metadata declared no required environment variables or credentials while the code requires an API key (YOO_AI_API_KEY or config.json.API_KEY). That omission is a coherence issue and should have been declared.
Instruction Scope
SKILL.md instructs the agent to read local files, parse/validate markdown outlines, and optionally scan a project directory for analysis — all consistent with creating PPTs from local content. It explicitly requires user confirmations in several workflows. These instructions require the agent's Read/file tools and user-supplied paths; they do not attempt broad, unrelated system access beyond reading user-provided files and writing outputs.
Install Mechanism
There is no external install spec (instruction-only with bundled scripts). All code is included in the skill package; there are no remote downloads or obscure install URLs. No archive extraction or unfamiliar install mechanisms were found.
!
Credentials
The runtime requires an API key (getApiKey looks for process.env.YOO_AI_API_KEY or config.json.API_KEY) but the registry metadata lists no required env vars/credentials. Requesting an API key to contact a remote SaaS is proportionate to the skill's purpose, but the metadata omission is misleading and increases risk because users may not realise they must supply a credential that will be sent to a third‑party API. Additionally, the skill will send file contents and project analysis data to that external API — this is necessary for the service but can expose sensitive project contents if not considered.
Persistence & Privilege
The skill writes a .tasks.json in the current working directory and saves generated PPTs to an output_dir (configurable via config.json or default 'outputs'). always:false and no modifications to other skills are requested. Writing local task/state files and outputs is expected, but users should be aware of these filesystem writes and the default output location.
What to consider before installing
Key points to consider before installing or invoking this skill: - Credential requirement (metadata mismatch): The package metadata did not declare any required environment variables, but the code requires an API key (YOO_AI_API_KEY) or config.json.API_KEY. You will need to provide a Yoo‑AI API key for it to work; do not assume it runs fully offline. Prefer creating a scoped/test key for this skill rather than reusing high‑privilege credentials. - External network calls: The skill calls https://saas.api.yoo-ai.com for creating tasks, polling status, getting editor/download URLs, and downloading assets. Uploaded/parsed content (file contents, project summaries) will be transmitted to that service. Only send non-sensitive data or run in an environment where you accept sending that data to the provider. - Local file access and scanning: The skill will read any local files you explicitly provide and can scan a project_path you point it at (analyzeProject recursively inspects directories). Do not point it at repositories or paths that contain secrets, keys, or private data you don't want sent to an external service. - Files written locally: It creates .tasks.json in the working directory and writes outputs to output_dir (default 'outputs' or as configured in config.json). Be prepared for these files and ensure the runtime directory is appropriate. - Missing resources: The code references references/prompts.md; if this file is absent the skill may throw errors. Test in a controlled sandbox first. - Sanity checks: Review the API host (saas.api.yoo-ai.com) and confirm it's the intended provider. If you trust the provider, restrict the API key scope and run the skill in an isolated environment. If you do not trust the provider, do not supply your keys or sensitive files. - Operational suggestions: Run an initial test with minimal, non-sensitive input to verify behavior. If you plan to use project analysis, create a reduced test copy of the project containing only non-sensitive files. Keep the skill's working directory isolated (sandbox/container) and inspect network traffic if you need to verify exactly what is sent. If you want, I can summarize exactly which functions will transmit which user data to the external API (e.g., createPptTask sends text or custom_data; analyzeProject reads and summarizes files) to help you decide which inputs are safe to provide.

Like a lobster shell, security has layers — review code before you run it.

latestvk9771sv29qtxs1ssakg8d9tqz983fe2f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments