AI Slides & Presentation

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate YouMind slide-generation skill, but it requires trusting YouMind’s CLI/API with your API key and presentation content.

Before installing, make sure you trust YouMind and its npm CLI. Configure YOUMIND_API_KEY through your environment or OpenClaw config rather than pasting it into chat, and avoid putting sensitive information into slide prompts unless you are comfortable storing it in YouMind.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

Low

What this means

The agent can run YouMind CLI commands while using this skill, so actions should stay limited to the requested slide-generation task.

Why it was flagged

The skill requests broad CLI and inline Node tool access, although the documented workflow uses these for YouMind API calls and JSON parsing.

Skill content

allowed-tools:
  - Bash(youmind *)
  - Bash(node -e *)

Recommendation

Use the skill only for intended slide creation, and prefer narrower tool permissions in future versions, such as specific YouMind API methods and fixed parsing commands.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing the CLI adds software from npm to the local environment.

Why it was flagged

The skill depends on installing an external npm CLI globally; that package code is not included in the provided artifacts for review.

Skill content

npm install -g @youmind-ai/cli

Recommendation

Install the CLI only if you trust YouMind and the npm package source; review the package page and keep it updated.

ASI03: Identity and Privilege Abuse

Low

What this means

The skill can create slide-generation chats and documents in the YouMind account associated with the API key.

Why it was flagged

The skill requires a YouMind API key so the CLI can act on the user’s YouMind account.

Skill content

primaryEnv: YOUMIND_API_KEY
    requires:
      anyBins: ["youmind", "npm"]
      env: ["YOUMIND_API_KEY"]

Recommendation

Use a key intended for this service, store it in environment/config as instructed, and do not paste it into chat.

ASI07: Insecure Inter-Agent Communication

Low

What this means

Presentation topics, outlines, and generated slide content may leave the local chat and be stored by the YouMind service.

Why it was flagged

The user’s topic or outline is sent to YouMind and the resulting deck is stored in a YouMind board.

Skill content

Slides are created as a document in your YouMind board.

Recommendation

Avoid including confidential business or personal information unless you are comfortable storing it in YouMind.

ASI10: Rogue Agents

Low

What this means

A short-lived background task may keep checking slide-generation status while the main conversation continues.

Why it was flagged

The skill may continue a bounded polling task in the background after telling the user that slides are being generated.

Skill content

spawn a subagent/background task for the polling work. Return control to the user immediately.

Recommendation

Ensure the platform shows or manages background tasks clearly, and stop the task if you no longer want the slide generation to continue.