ClawHub

ppt2fig Export

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s slide-to-PDF purpose is coherent, but its helper can execute a locally discovered or unpinned downloaded executable whose provenance is not tightly controlled.

Use this skill only if you trust the ppt2fig executable source. Prefer installing a verified ppt2fig binary in the OpenClaw tool directory or on PATH, and avoid running the helper from directories that may contain untrusted dist/ppt2fig-cli.exe files.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution
Medium
What this means

If the agent runs the helper from a directory containing a matching dist/ppt2fig-cli.exe, that executable could run under the user's account during conversion.

Why it was flagged

The helper can execute a ppt2fig-cli executable found under the current working directory's dist folder. That is broader than a fixed OpenClaw install path or an explicit PATH lookup and could run an unintended local executable if present.

Skill content
str(Path.cwd() / "dist" / "ppt2fig-cli-upx.exe"),
str(Path.cwd() / "dist" / "ppt2fig-cli.exe"),
...
completed = subprocess.run(command)
Recommendation

Restrict executable discovery to the OpenClaw-managed install directory, a verified package-relative path, or an explicit user-selected binary; disclose all fallback locations and avoid current-working-directory executable lookup.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The binary installed and later executed may change over time as the upstream latest release changes.

Why it was flagged

The skill discloses downloading a Windows executable from GitHub's moving latest release URL. This fits the skill's purpose, but the artifact does not pin a version or provide a checksum.

Skill content
"url":"https://github.com/elliottzheng/ppt2fig/releases/latest/download/ppt2fig-cli.exe","targetDir":"~/.openclaw/tools/ppt2fig-export"
Recommendation

Prefer a pinned release version with checksum verification, or install ppt2fig from a source the user explicitly trusts.