ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pptx Extract

v0.4.0

Extract content from PowerPoint (.pptx) presentations to Markdown using MinerU. Pulls slide content including text, structure, and formatting into readable o...

0· 73·0 current·0 all-time
by@mzlzyca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (PPTX -> Markdown via MinerU) aligns with required binary (mineru-open-api) and the described commands. Minor incoherence: SKILL.md documents a no-token 'flash-extract' mode, but the registry metadata lists MINERU_TOKEN as a required env var/primary credential, which implies the token is mandatory even though the tool can operate in tokenless mode for quick extracts.
Instruction Scope
Runtime instructions are narrowly scoped to running the mineru-open-api CLI (flash-extract, extract, auth) against local files or URLs. They do not instruct reading unrelated system files or other environment variables. It does call an interactive 'mineru-open-api auth' and references exporting MINERU_TOKEN.
Install Mechanism
Install paths are typical: npm package 'mineru-open-api' and a Go 'go install' from github.com/opendatalab. These are expected for a CLI tool, but npm installs run package scripts during install and Go installs pull code from GitHub — users should verify the npm package and GitHub repo before installing globally.
Credentials
Only MINERU_TOKEN is declared as the required credential, which matches the 'extract' and 'crawl' functionality. The metadata's blanket requirement of MINERU_TOKEN is inconsistent with the documented no-token 'flash-extract' mode; otherwise the requested credential is proportionate to the skill's purpose.
Persistence & Privilege
The skill is not always-installed (always: false), requests no config paths, and does not ask to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
What to consider before installing
This skill appears coherent for extracting .pptx files using the MinerU CLI, but check a few things before installing: 1) Verify the npm package (mineru-open-api) and the GitHub repo (opendatalab/MinerU-Ecosystem) to ensure they're the official project and review install scripts. 2) Understand that MINERU_TOKEN is needed for full 'extract' functionality but 'flash-extract' can run without a token — the registry metadata marking the token as required is inconsistent with the README. 3) Do not paste sensitive tokens into a webpage you don't trust; create a token with minimal scope and rotate/delete it if you stop using the skill. 4) If you must install globally, consider installing in a sandbox or container first to inspect runtime behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97910p8fxknad4ssazpyggfph844pce

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis
Binsmineru-open-api
EnvMINERU_TOKEN
Primary envMINERU_TOKEN

Install

Install via npm
Bins: mineru-open-api
npm i -g mineru-open-api
Install via go install
Bins: mineru-open-api

Comments