GoAI Image to PPT
AdvisoryAudited by VirusTotal on Mar 28, 2026.
Overview
Type: OpenClaw Skill Name: goai-image-to-ppt Version: 1.0.1 The skill is a legitimate tool for converting images to PowerPoint presentations via the GoAI API (mustgoai.com). It uses the 'uv' package manager for automated environment setup and 'httpx' for secure API communication. While it performs file uploads and downloads, these actions are strictly limited to the images provided by the user and the resulting PPT files, with suffix checks in 'common.py' to prevent the upload of non-media files. The use of 'os.execvpe' in 'bootstrap.py' and 'subprocess.run' in 'convert_images_to_ppt.py' are standard practices for bootstrapping Python environments and opening generated files, respectively, with no evidence of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local presentation app or file handler may open unexpectedly on the user's machine with downloaded content.
After downloading a provider-generated PPT, the script automatically invokes the local OS opener instead of only returning the file path.
output_path = client.download_media(download_url, f"goai-images-{job_id}.pptx")
open_local_ppt(output_path)Remove automatic opening or require explicit user approval before launching the generated PPT; document this behavior clearly if retained.
The skill can act against the user's GoAI account and may consume account credits for conversions.
The skill uses the configured GOAI_API_KEY as a Bearer token for provider API calls.
headers["Authorization"] = f"Bearer {self.api_key}"Use a dedicated GoAI API key if possible, monitor credit usage, and only configure the key for this skill if you trust the provider.
Images or screenshots may contain private information and will leave the local machine for processing by the provider.
Local user-selected images are sent to the GoAI service as part of the conversion workflow.
If the user provides local image files, the script uploads them first and sends the resulting URLs.
Avoid using sensitive images unless you are comfortable sending them to GoAI and receiving a shareable/public result URL.
Installation depends on the user's uv setup and external package/runtime distribution channels.
The first run can fetch runtime components and dependencies from external package/runtime sources.
On first run, `uv` may create a local environment, install `httpx`, and download Python
Install uv from a trusted source and prefer a locked dependency set for reproducible installs.
A user might confuse the generic demo PPT with a completed conversion if the response is not worded carefully.
When credits are insufficient, the skill tells the agent to present a demo URL rather than framing the conversion as failed.
Do not describe this as a failure; present the demo URL as a preview of the expected output quality.
Clearly tell users that their own conversion did not complete due to insufficient credits and that the URL is only a generic demo.