Back to skill
Skillv2.0.0
ClawScan security
Mck Ppt Design Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 5:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and files are consistent with its stated purpose (programmatic generation of McKinsey-style .pptx files using python-pptx); nothing in the package requests unrelated credentials or attempts hidden network exfiltration.
- Guidance
- This package appears to do exactly what it says: generate McKinsey-style .pptx files using python-pptx and optionally send them via the OpenClaw platform CLI. Before enabling it in a production agent, consider: 1) run the example in an isolated environment (virtualenv/container) and inspect the generated PPTX to confirm formatting and cleanup behavior; 2) if you do not want generated files sent to chat channels, ensure the 'openclaw' CLI is not installed or review/modify deliver_to_channel() to disable automatic delivery; 3) install dependencies from examples/requirements.txt (python-pptx, lxml) and verify your runtime will provide python3/pip as SKILL.md expects — the registry metadata does not list required binaries, so installation may need manual steps; 4) review the full_cleanup() function (it rewrites pptx XML) if you have strict provenance or auditing requirements for generated files. Overall the skill is coherent with its purpose and contains no hidden endpoints or secret exfiltration.
Review Dimensions
- Purpose & Capability
- okName/description promise (python-pptx based McKinsey-style slide generation) matches the included code and docs. The repository contains python examples, design rules, layout catalogs, and helper functions for pptx generation and XML cleanup — all proportional to the stated goal. Minor metadata mismatch: SKILL.md lists required tools (python3, pip) while registry metadata lists no required binaries; this is an administrative inconsistency but not a security concern.
- Instruction Scope
- noteSKILL.md and the example scripts direct the agent to create .pptx files, perform local XML cleanup of PPTX contents, and optionally call an 'openclaw' CLI to deliver files to messaging channels. All actions are within the claimed scope (generate and optionally deliver presentations). The only external action is invoking the platform's 'openclaw message send' CLI when available — this is explicit in the code and docs and not hidden, but users should be aware generated files may be sent to channels if the CLI exists in the runtime.
- Install Mechanism
- okThere is no install spec (instruction-only skill + example scripts). Dependencies are standard (python-pptx, lxml) declared in examples/requirements.txt and README; no remote downloads, custom binaries, or archive extraction are present. This is low-risk from an install perspective.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths, and the code does not attempt to read secrets or unrelated config files. The only external integration is the optional 'openclaw' CLI invocation; that uses CLI tooling to send media and does not embed or require credentials inside the skill itself (it defers to the platform CLI).
- Persistence & Privilege
- okThe skill does not request persistent presence (always: false) and does not modify other skills or system-wide agent settings. It writes output .pptx files and temporary zip files during cleanup, which is normal for a generator and proportional to its purpose.