ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pitch Deck V2

v1.0.0

AI-powered professional pitch deck outline generator using the $1B Pitch Deck Formula for startup presentations.

0· 55·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (pitch deck generator) align with the included SKILL.md and openapi.json: endpoints, request/response shapes, and PPTX generation are all coherent with the stated functionality. No unrelated binaries, env vars, or permissions are requested.
!
Instruction Scope
The runtime instructions explicitly tell the agent to POST complete startupData (company strategy, traction, funding ask, team info, etc.) to /api/pitchdeck/generate and /api/pitchdeck/generate-pptx. Sample responses include download links hosted at api.mkkpro.com. The SKILL.md/openapi.json do not include an explicit server host configuration or privacy policy, and the skill does not explain how submitted data is stored, retained, or protected. Because the instructions require sending potentially sensitive business information to an external service of unknown provenance, this is a significant privacy/exfiltration risk.
Install Mechanism
Instruction-only skill with no install spec and no code files to write to disk; this minimizes code-install risk. The regex scanner had no files to analyze beyond the SKILL.md/openapi.json.
!
Credentials
The skill requests no credentials or environment variables (which is proportionate), but it nonetheless requires transmitting full startup data externally. The absence of required credentials does not mitigate the sensitivity of the data being sent. There is no indication why the service needs additional credentials, nor any privacy/retention guarantees. Users should treat all transmitted startup content as potentially accessible to the third-party host.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not request persistent agent-level privileges or modify other skills/config. No elevated or permanent privileges are declared.
Scan Findings in Context
[no_regex_matches] expected: The scanner found no code files to analyze (instruction-only). This is expected for an instruction-only API-integration skill, but static regex scanning could not evaluate network/data-transmission behavior described in SKILL.md.
What to consider before installing
This skill appears to do what it says (generate pitch outlines and PPTX files), but it requires you to POST potentially sensitive startup information to an external API of unknown origin (sample download URLs reference api.mkkpro.com). Before installing or using it: (1) Verify the service owner and review a privacy/security policy — who hosts api.mkkpro.com and how long are files retained? (2) Never send secrets, investor lists, unreleased financials, or IP you don't want shared; test with dummy data first. (3) Prefer skills from known vendors or those that run locally/offline if you need to keep content private. (4) If you must use the service, monitor network logs and verify TLS and endpoint hostnames, and ask for data-deletion guarantees. These uncertainties justify caution; more publisher/hosting details would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk974resnefe8fst4daqjqxty9183g3mh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments