Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SVG PPT Generator
v1.0.0SVG-based PPT generator with 9 themes, 8 layouts, 30+ charts, and 600+ icons
⭐ 0· 57·0 current·0 all-time
by@ddpie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (SVG-based PPT generator) matches the included templates and conversion scripts (svg_to_pptx, templates/layouts/*). However, the package also contains multiple image backend adapters (backend_openai.py, backend_replicate.py, backend_stability.py, backend_qwen.py, etc.) and an Image_Generator role — these go beyond pure SVG→PPTX conversion and imply optional networked image-generation capabilities that are not declared in the skill's metadata.
Instruction Scope
SKILL.md's runtime instructions are explicit and limited to reading bundled design_spec.md and template SVGs, writing SVG files to /tmp, running local conversion scripts, and optionally running an image-generation pipeline. However, the Technical Flow instructs importing and executing bundled Python scripts (via a workspace path) which can call the included image backends and post-processing tools. The instructions do not mention or require any API keys but the codebase contains modules that will attempt external API calls if invoked — the scope is broader than the SKILL.md declares and could trigger network activity or require credentials not listed.
Install Mechanism
No install spec (instruction-only), so nothing is downloaded at install time. That reduces risk from arbitrary remote installers. However, the skill bundle already contains many Python scripts and templates that will be present on disk when the skill is installed — these files can be executed by the agent at runtime. No external download URLs or extract steps are present in the manifest.
Credentials
Registry metadata lists no required environment variables, yet the codebase includes many image backend modules (backend_openai.py, backend_replicate.py, backend_stability.py, backend_zhipu.py, backend_volcengine.py, etc.) which typically require API keys (e.g., OPENAI_API_KEY, REPLICATE_API_TOKEN, STABILITY_KEY). This is a mismatch: either those backends are never used (benign) or they will try to read credentials from the environment at runtime (surprising to users). The SKILL.md does not document what credentials are needed or how external services are selected, so credential access is under-specified and potentially disproportionate.
Persistence & Privilege
always: false and user-invocable: true. The skill does not request to be always-enabled or to modify other skills' configs. It instructs writing temporary files under /tmp and using its own bundled scripts — normal for this functionality. The optional reviewer subagent flow increases the operational scope (spawning subagents) but autonomous invocation is not forced by the skill metadata.
What to consider before installing
This skill's description and bundled templates/scripts match — it can generate editable PPTX from SVGs — but exercise caution before enabling it: 1) The package contains many image-backend connectors (OpenAI, Replicate, Stability, Qwen, Volcengine, Zhipu, etc.). If you or the agent trigger image-generation features, those modules may attempt outbound network calls and will look for API keys in the environment; the SKILL.md does not declare those credentials. 2) If you plan to install/use this skill, review the backend_* files to see what providers and env var names are referenced, and only provide API keys you trust the skill to use (or avoid supplying keys and disable image generation). 3) Prefer limiting the skill to manual, user-invoked operations rather than allowing autonomous invocation; if possible, run it in a sandboxed environment (no sensitive env vars) or inspect/strip unused backends. 4) If you need a second opinion, ask the skill author for a minimal README that lists exactly which env vars or external services the skill will use and under what conditions; absence of such a list is a red flag.Like a lobster shell, security has layers — review code before you run it.
latestvk975pw6bc8cacftv3hv3bcvd3s83vjg3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.