Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
QoderWork PPT (Jack)
v1.0.0Generate QoderWork-style presentations. Automatically matches 14 templates based on your topic and outputs an editable .pptx file.
⭐ 0· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the shipped templates, rules, and Node scripts. Required artifacts (HTML templates, manifest, validation/fill/convert scripts) are appropriate and proportional to generating PPTX output.
Instruction Scope
Runtime instructions stay within the PPT-generation workflow (create output/, generate content.md, build slides.json, run provided node scripts). They do instruct the agent to call helper tools like generate_image or web_search for some image slots — those are plausible for image acquisition but are not defined in the skill and may cause network/API activity outside the skill. The instructions also require running npm and node scripts (which will execute code in the skill directory).
Install Mechanism
No automated install spec is embedded; user is told to run npm install in the skill directory. That is expected but means npm will fetch packages (puppeteer downloads Chromium, etc.). This is normal for Node tools but carries the usual network/third-party-package risk — review package.json and package-lock before installing.
Credentials
The skill declares no required environment variables, credentials, or special config paths. The only implied external needs are optional image generation/web search calls (which could require API keys depending on how your agent implements generate_image/web_search), but nothing in the skill asks for unrelated secrets.
Persistence & Privilege
always is false and the skill does not request elevated or system-wide persistence. It writes files under the project workspace (output/) which is expected for a generator. It does not modify other skills or global configs.
Scan Findings in Context
[base64-block] expected: The skill's templates and filled HTML embed many data:image/...;base64 blobs (backgrounds and sample images). The scanner flagged base64-block, but base64 images are expected in offline HTML templates and are not by themselves malicious. Still review large embedded blobs if you need to verify origin.
Assessment
This skill appears to do what it says, but take these precautions before running: 1) Inspect package.json and package-lock.json to confirm dependencies and any postinstall scripts; 2) Run npm install and the pipeline in an isolated environment (or sandbox) because Puppeteer will download/launch Chromium and node modules will execute code; 3) Confirm how your agent supplies generate_image / web_search (these are not defined in the skill) and whether they will call external APIs that require keys — provide credentials only if you trust the image provider; 4) If you need to be extra cautious, open the scripts (scripts/*.js) and search for network endpoints, exec/child_process usage, or unexpected file-system paths before executing; 5) Expect the skill to write output files under the working directory (output/ and output/images/) and avoid running it from sensitive system root paths.pptx/scripts/run-pipeline.js:54
Shell command execution detected (child_process).
pptx/scripts/fill-template.js:9
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97cm7n09bm4aq3sj278dvfq6n83bzgd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.