Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AIPPT生成
v1.0.4PPT自动生成工具,通过调用外部接口实现从主题到完整PPT文件的自动化生成流程。支持大纲生成、大纲修改、模板选择、PPT生成等完整流程。当用户要求生成PPT、制作幻灯片、创建演示文稿、年终总结PPT、项目汇报PPT时使用此skill。
⭐ 0· 138·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (PPT generator) lines up with its network calls to ai.mingyangtek.com and the workflow in SKILL.md. However the shipped client (scripts/ppt_api.py) modifies the provided sender_id by appending an MD5 hash derived from the local machine's MAC address (get_mac_address + generate_user_id). Collecting a hardware identifier is not necessary for basic PPT generation and is not disclosed in SKILL.md or references — this is disproportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to extract message context fields (sender_id, sender, chat_id, channel) and to call remote endpoints; those steps are expected. But the runtime client will also read local system information (MAC via uuid.getnode()), hash it, and include it in the X-Userid header. That hardware-fingerprinting behavior is not documented in the SKILL.md guidance and expands the data exfiltration surface beyond the documented inputs.
Install Mechanism
No install spec is present and this is an instruction+library skill; nothing is downloaded or extracted during install. Risk from install mechanism is low.
Credentials
The skill declares no required environment variables or credentials, which is consistent with the description, but the code accesses local system state (MAC address) and transmits a derived identifier to the external API. Transmission of a hardware fingerprint (even hashed) is a non-obvious collection of sensitive host info and is disproportionate to a PPT-generation helper.
Persistence & Privilege
The skill does not request permanent inclusion (always:false), does not declare writing to other skill configs, and does not request elevated platform privileges. No persistence or system-wide config changes are requested.
What to consider before installing
This skill appears to do what it says (call an external PPT-generation API) but the included Python client secretly derives a hardware fingerprint by hashing your machine's MAC address and sends it in the X-Userid header to https://ai.mingyangtek.com. Before installing or enabling this skill consider: 1) Do you trust the remote domain and its privacy practices? 2) Ask the maintainer to remove or make optional any host-fingerprinting (the generate_user_id/get_mac_address behavior) and to document it clearly in SKILL.md. 3) If you must use it, run it in a sandboxed environment or on a machine where disclosing a hardware identifier is acceptable. 4) Verify endpoints use HTTPS everywhere (some examples in the docs show http) and request a privacy/security statement about what user and host data the service stores. If you cannot get satisfactory answers, treat the skill as inappropriate for sensitive environments.Like a lobster shell, security has layers — review code before you run it.
latestvk972e5ajr0m07w366ggx4329z9839cbn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.