Generate Presentation
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its presentation-generation purpose, but it includes an unrelated rsync command permission and broad image file read/write capabilities that should be reviewed before use.
Before installing, remove or review the included Claude local settings, especially Bash(rsync:*). Configure a dedicated OpenAI API key, avoid confidential content unless provider use is acceptable, and keep generated image outputs scoped to the presentation folder.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this settings file is honored by the user's agent environment, the agent may be allowed to run broad rsync file operations without normal approval prompts.
The package includes a Claude local settings file that pre-allows all rsync commands. Rsync can copy, sync, overwrite, or delete files and is not described as necessary for generating presentations.
"allow": [ "WebFetch(domain:docs.openclaw.ai)", "WebFetch(domain:design.dev)", "Bash(rsync:*)" ]
Remove the packaged .claude/settings.local.json or replace Bash(rsync:*) with narrowly scoped, user-approved commands that are clearly required for the skill.
A compromised or mistaken agent invocation could read/upload a local image file or write generated images outside the intended presentation folder, including overwriting writable image files.
The MCP image tools accept absolute input and output paths and write generated image data to the supplied path, but the code shown does not restrict those paths to the presentation directory.
image: z.string().describe("Absolute image path or base64 string to edit.") ... file_output ... "Path must be absolute" ... await fs.writeFile(filePath, Buffer.from(img.b64, "base64"));Constrain MCP file inputs and outputs to the workspace presentation directory by default, require explicit user confirmation for other paths, and avoid exposing generic edit/write capabilities when not needed.
Using the skill can consume OpenAI API quota and exposes the configured key to the MCP server process.
The skill requires an OpenAI API key for image generation. This is expected for the stated feature, but it is still a real credential with cost and account implications.
Create a `.env` file with your OpenAI API key: OPENAI_API_KEY=sk-your-key-here
Use a dedicated, limited OpenAI API key if possible, store it securely, and monitor usage.
Slide content, prompt details, or selected images may be transmitted to the configured AI provider during image generation or editing.
The presentation workflow relies on an MCP server that sends image prompts, and for editing may send source images, to OpenAI or Azure OpenAI.
An MCP (Model Context Protocol) server that provides AI image generation and editing capabilities using OpenAI's GPT Image models.
Avoid using confidential slide material or private images unless your provider account and data policy allow it; disclose this transfer clearly to users.
Users must run local dependency installation and build commands to enable full functionality, which expands the trust placed in the bundled Node/Python environment.
The README requires manual package installation/build steps even though the registry reports no install spec. The package-lock helps, but the setup occurs outside a formal install contract.
cd presentation-generation-skill/mcp-servers/openai-gpt-image npm install npm run build ... pip install Pillow
Review the package-lock and dependencies before installing, prefer reproducible install instructions, and consider adding an explicit install spec with declared dependencies.