Codex PPT
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: codex-ppt Version: 0.3.0 The codex-ppt skill is a legitimate and well-structured tool designed to generate image-based PowerPoint presentations from user-provided content. It includes a suite of Python scripts for environment management (codex_ppt_runtime.py), image generation via the OpenAI API (image_gen.py), and PPTX assembly (assemble_ppt.py). While the skill manages sensitive data like the OPENAI_API_KEY and performs shell executions for dependency installation, these actions are strictly scoped to its functional requirements and are clearly documented in SKILL.md. The code follows security best practices, such as masking secrets in logs and setting restrictive file permissions (0600) for its configuration file in ~/.codex-ppt-skill/.env. No evidence of malicious intent, data exfiltration, or unauthorized persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If fallback mode is used, the skill can make API calls using the configured key, which may incur costs or access the configured provider account.
The skill can store and use an API key for image generation. This is disclosed and purpose-aligned, but it is still sensitive account access.
`OPENAI_API_KEY` is required for real API/CLI fallback calls... The config is written to: `~/.codex-ppt-skill/.env`... The file is created with mode `0600`.
Use a dedicated API key if possible, verify the configured base URL, and remove or rotate the key if you no longer use the skill.
Deck source material or slide prompts may be processed by an external image provider when API/CLI fallback is used.
Fallback image generation can send prompts/content to OpenAI or a user-configured third-party compatible endpoint.
`OPENAI_BASE_URL` is optional. When it is unset, the CLI uses the official OpenAI API. When it is set, the CLI treats the request as a third-party OpenAI-compatible proxy request.
Avoid sending highly confidential material to untrusted providers, and only configure a third-party proxy you trust.
Installing dependencies may fetch newer package versions than the author tested.
The documented bootstrap flow relies on Python packages with lower-bound version ranges rather than pinned exact versions.
python-pptx>=1.0.2 Pillow>=10.0.0 openai>=2.0.0
Run the skill in an isolated environment and consider pinning or reviewing dependency versions in stricter environments.