ClawHub

Image To PPT Pro

PassAudited by VirusTotal on May 7, 2026.

Overview

Type: OpenClaw Skill Name: image-to-ppt-pro Version: 1.0.1 The skill bundle contains a script (scripts/extract_text.py) that performs automated system-level package installations using 'apt-get install' and 'pip install --break-system-packages' via subprocess. While these actions are aligned with the stated purpose of enabling OCR functionality, the practice of a skill bundle modifying the host environment's system state is a high-risk behavior. The rest of the bundle, including the detailed instructions in SKILL.md and the coordinate validation in scripts/preflight.py, appears focused on the legitimate task of image-to-PPT conversion.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI05: Unexpected Code Execution
What this means

Running the helper may change the local system/Python environment and execute package installation logic from configured repositories without a separate user approval prompt.

Why it was flagged

The OCR helper can run OS and Python package-manager commands automatically when dependencies are missing, rather than requiring an explicit managed install step.

Skill content
Dependencies (auto-installed on first run): ... apt-get install -y tesseract-ocr ... subprocess.run(["apt-get","install","-y","-q", ...], check=True) ... subprocess.run([sys.executable,"-m","pip","install","pytesseract","--break-system-packages","-q"], check=True)
Recommendation

Move dependency installation to a declared install spec, pin versions, use a virtual environment or container, and require explicit user approval before apt-get or pip installation.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Dependency behavior may vary over time and global installs can affect other projects on the same machine.

Why it was flagged

The documented setup uses unpinned global/system package installs. These dependencies are relevant to PPT/OCR generation, but the install path is not isolated or version-locked.

Skill content
npm install -g pptxgenjs
pip install Pillow numpy pytesseract --break-system-packages -q
# LibreOffice + pdftoppm (from poppler-utils)
Recommendation

Prefer pinned dependencies in an isolated environment and document exact package versions and OS packages needed.