ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slides/PPT generation and voice narration

v1.0.0

AI-powered presentation generation using 2slides API. Create slides from text content, match reference image styles, or summarize documents into presentations. Use when users request to "create a presentation", "make slides", "generate a deck", "create slides from this content/document/image", or any presentation creation task. Supports theme selection, multiple languages, and both synchronous and asynchronous generation modes.

0· 1.4k·5 current·5 all-time
by@javainthinking
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Slides/PPT generation + voice narration via 2slides) match the included scripts and SKILL.md: scripts call only the https://2slides.com API and implement generation, narration, download, theme search, and job-status polling. However, the registry metadata lists no required environment variables while SKILL.md and every script require SLIDES_2SLIDES_API_KEY — a clear metadata/runtime mismatch that should be resolved.
Instruction Scope
Runtime instructions are narrowly scoped to contacting the 2slides API, creating jobs, polling job status, requesting narration, and downloading export archives. The SKILL.md asks the user to set an API key and to provide content, reference image URLs, or job IDs; the scripts only read the declared SLIDES_2SLIDES_API_KEY and do not attempt to access unrelated system files or credentials.
Install Mechanism
This is an instruction-only skill (no install spec), but the bundle includes multiple Python scripts that depend on the 'requests' library and a Python runtime. There is no declared dependency list or installation instructions for Python packages. No remote downloads or unusual URLs are used by the install process; network calls go to the 2slides domain. Missing dependency/install guidance is a usability/security gap (could lead users to run scripts without knowing required packages or to install missing packages from unverified sources).
Credentials
Scripts require a single API credential (SLIDES_2SLIDES_API_KEY), which is proportionate for a cloud API integration. The inconsistency is that the registry metadata indicates no required env vars while SKILL.md and all scripts depend on that single secret — the omission in metadata is misleading and should be corrected. No other secrets/config paths are requested.
Persistence & Privilege
The skill does not request permanent/always-on privileges (always:false) and does not modify other skills or system-wide settings. It writes downloaded ZIP files to the local working directory (expected behavior for a downloader) but otherwise does not persist credentials or alter agent configuration.
What to consider before installing
What to check before installing: - Metadata vs runtime: The registry metadata says no env vars, but SKILL.md and every script require SLIDES_2SLIDES_API_KEY. Treat that as a documentation bug — confirm the skill will only need that single API key before installing. - API key safety: This skill sends your SLIDES_2SLIDES_API_KEY to https://2slides.com endpoints. Only provide the key if you trust that service and are willing to accept API usage and credit costs (narration and high-res generation can be expensive). Rotate the key later if you test it in a shared environment. - Dependencies and execution environment: The bundle includes Python scripts that use the 'requests' package but there is no install spec. Run them in an isolated environment (virtualenv/container) and install packages from a trusted source (pip). Avoid running arbitrary scripts system-wide without review. - Verify domain and endpoints: The scripts only call https://2slides.com/api/v1. Confirm that domain (and certificate) is legitimate and matches the service you expect. - Sandboxing: If you have doubts, run the scripts in a sandboxed VM or container, and monitor outbound network calls to confirm only 2slides endpoints are contacted. - Cost & privacy: Be aware that uploads (content, reference images, documents) and generated audio/images are sent to the vendor. Check the provider's privacy policy if you handle sensitive data. - Fixes recommended: Ask the publisher to correct the registry metadata to declare SLIDES_2SLIDES_API_KEY and to add a minimal install section listing Python and 'requests' (and any other deps). If the publisher cannot be reached, treat the missing metadata as a risk factor and follow the sandboxing guidance above.

Like a lobster shell, security has layers — review code before you run it.

latestvk97871kx88a00wj6ymr390twfh80z3v8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments