PPT Presenter — 带逐字稿的演讲级PPT生成器
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the prompt file contains a malicious or accidental path-like slide name, the script could overwrite files outside the intended images folder with generated image data.
The output filename is taken directly from prompts.json and joined to the output directory without sanitizing absolute paths or path traversal segments.
name = slide["name"] ... outpath = os.path.join(args.output_dir, f"{name}.{ext}") ... with open(outpath, "wb") as f:Sanitize slide names to safe basenames or slugs, reject absolute paths and '..', and write only inside a dedicated output directory.
Using the skill may consume quota or incur costs on the Gemini account whose key is provided.
The helper uses a Gemini API key for the stated image-generation purpose; this is expected, but it is still delegated account access.
parser.add_argument("--api-key", default=os.environ.get("GEMINI_API_KEY", ""), help="Gemini API key")Use a dedicated Gemini API key with appropriate limits, and provide it only when image generation is actually needed.
Sensitive presentation topics or notes could be shared with the external Gemini provider during image generation.
Slide image prompts are sent to Google's Generative Language API, which is disclosed and purpose-aligned but may include content derived from user notes.
url = f"https://generativelanguage.googleapis.com/v1beta/models/{model}:generateContent?key={api_key}" ... "text": f"Generate this image: {prompt}"Avoid sending confidential material in prompts unless the user approves that provider data flow.
Opening the generated presentation may contact third-party CDNs, and the presentation depends on those resources being available and trustworthy.
The generated presentation template loads reveal.js and related assets from external CDNs; this is common for HTML slides but depends on third-party runtime resources.
<script src="https://cdn.jsdelivr.net/npm/reveal.js@5.1.0/dist/reveal.js"></script>
For private or offline presentations, vendor the reveal.js assets locally or add stronger integrity/pinning controls.