GoAI Image to PPT
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local presentation app or file handler may open unexpectedly on the user's machine with downloaded content.
After downloading a provider-generated PPT, the script automatically invokes the local OS opener instead of only returning the file path.
output_path = client.download_media(download_url, f"goai-images-{job_id}.pptx")
open_local_ppt(output_path)Remove automatic opening or require explicit user approval before launching the generated PPT; document this behavior clearly if retained.
The skill can act against the user's GoAI account and may consume account credits for conversions.
The skill uses the configured GOAI_API_KEY as a Bearer token for provider API calls.
headers["Authorization"] = f"Bearer {self.api_key}"Use a dedicated GoAI API key if possible, monitor credit usage, and only configure the key for this skill if you trust the provider.
Images or screenshots may contain private information and will leave the local machine for processing by the provider.
Local user-selected images are sent to the GoAI service as part of the conversion workflow.
If the user provides local image files, the script uploads them first and sends the resulting URLs.
Avoid using sensitive images unless you are comfortable sending them to GoAI and receiving a shareable/public result URL.
Installation depends on the user's uv setup and external package/runtime distribution channels.
The first run can fetch runtime components and dependencies from external package/runtime sources.
On first run, `uv` may create a local environment, install `httpx`, and download Python
Install uv from a trusted source and prefer a locked dependency set for reproducible installs.
A user might confuse the generic demo PPT with a completed conversion if the response is not worded carefully.
When credits are insufficient, the skill tells the agent to present a demo URL rather than framing the conversion as failed.
Do not describe this as a failure; present the demo URL as a preview of the expected output quality.
Clearly tell users that their own conversion did not complete due to insufficient credits and that the URL is only a generic demo.