ppt-mcp-server
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is clearly for generating PowerPoint files, but it does so by letting the agent run unrestricted Python code on your computer.
Install this only if you are comfortable letting the agent run Python code locally. Prefer using it in a sandboxed folder, VM, or container, and review the generated Python before allowing execution.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious prompt, compromised context, or model mistake could run arbitrary Python with the user's local permissions, including reading or writing files, making network calls, or hanging the server.
The MCP tool executes agent-supplied Python with full built-ins and no sandbox or import allowlist.
"__builtins__": __builtins__, ... exec(processed_code, exec_globals)
Use only in an isolated environment; require explicit review/approval before execution; sandbox the process; restrict built-ins/imports; and add timeouts and resource limits.
The agent may run generated Python code immediately during normal PPT requests, increasing the chance that unsafe or unintended code executes before the user can inspect it.
The skill directs the agent to automatically execute and retry generated code, without requiring a user confirmation step for a high-impact tool.
生成代码后,必须调用 execute_pptx_code 执行;执行失败则修复代码重新执行
Change the workflow so generated code is shown to the user first and execution requires explicit confirmation, especially for any imports, filesystem access, or non-PPT operations.
A crafted filename could cause the save path to point outside the intended output folder, creating or overwriting files in unexpected locations.
The filename parameter is documented as an output filename, but it is not normalized to a basename after user/agent input, so absolute paths or ../ segments can bypass the intended output directory.
if filename:
pure_name = filename if filename.endswith('.pptx') else filename + '.pptx'
new_path = os.path.join(OUTPUT_DIR, pure_name)Always reduce filename to a safe basename, reject absolute paths and path traversal segments, and verify the resolved path remains inside OUTPUT_DIR before saving.
Future installs may resolve to different package versions than those reviewed here.
Dependencies are expected for this Python MCP tool, but they are version ranges rather than pinned versions.
mcp>=1.6.0 python-pptx>=0.6.21
Pin dependency versions or provide a lockfile for more reproducible installs.