Slides/PPT generation and voice narration
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: 2slides-skills Version: 1.0.0 The skill is classified as suspicious due to potential vulnerabilities related to input sanitization and command execution. Specifically, the `SKILL.md` instructs the AI agent to execute Python scripts with arguments that are likely derived from user input (e.g., `--content`, `--query`, `--output`). If the agent does not properly sanitize or escape user-provided strings before interpolating them into shell commands, this could lead to shell injection vulnerabilities. Additionally, the `scripts/download_slides_pages_voices.py` script accepts an `--output` argument for the download path, which, if not sanitized for path traversal by the agent, could allow arbitrary file writes to the system. While the skill's code itself does not exhibit explicit malicious intent (e.g., data exfiltration to unauthorized domains, backdoors), these design choices create significant attack surfaces for an agent that lacks robust input validation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide an API key that may allow API usage and credit consumption on their 2slides account.
The scripts use a local 2slides API key as a bearer token to act on the user's 2slides account; this is expected for the service integration and is not logged or sent to unrelated endpoints in the shown code.
api_key = os.environ.get("SLIDES_2SLIDES_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated 2slides API key if possible, keep it out of shared logs or repositories, monitor credit usage, and revoke the key if you stop using the skill.
Presentation text, summarized document content, and reference-image information may leave the local environment and be processed by 2slides.
User-provided presentation content is sent to the external 2slides API; this is central to the skill's purpose and is disclosed, but it is still an external data transfer.
payload = { "userInput": user_input, "themeId": theme_id, "responseLanguage": response_language, "mode": mode } ... requests.post(url, headers=headers, json=payload, timeout=timeout)Avoid sending confidential, regulated, or proprietary material unless you are comfortable with 2slides processing it under its terms and privacy policy.
Large presentations or narration requests can use a meaningful number of account credits.
The skill's normal API operations can consume paid 2slides credits; the cost model is disclosed and purpose-aligned, but users should notice the financial impact of high page counts, 4K output, or narration.
Credit Costs:\n- Fast PPT: 10 credits/page\n- Nano Banana 1K/2K: 100 credits/page\n- Nano Banana 4K: 200 credits/page\n- Voice Narration: 210 credits/page
Confirm page count, resolution, generation mode, and narration options before running large jobs.