officecli-pitch-deck
ReviewAudited by ClawScan on May 10, 2026.
Overview
The pitch-deck workflow is coherent, but it tells the agent to automatically download and run an unpinned OfficeCLI installer/updater from GitHub before use.
Use caution unless you trust the OfficeCLI installer source. Prefer reviewing and installing OfficeCLI manually from a pinned release, then disable or ignore the automatic install/upgrade step before using the skill to generate decks.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run unreviewed remote code and change the user's local OfficeCLI installation before making the deck.
The skill directs the agent to fetch and execute a live installer/upgrader from a remote GitHub branch/latest release before use, without a pinned version, checksum, or explicit approval gate.
Every time before using officecli, run this check: ... curl -fsSL https://raw.githubusercontent.com/iOfficeAI/OfficeCli/main/install.sh -o /tmp/officecli_install.sh && bash /tmp/officecli_install.sh ... LATEST=$(curl -fsSL https://api.github.com/repos/iOfficeAI/OfficeCLI/releases/latest ...)
Require explicit user approval before installing or upgrading, declare OfficeCLI as an install dependency, and pin a reviewed release or checksum instead of executing a live remote script.