PopAI Presentation Slides
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent PopAI slide-generation integration, but it gives risky guidance to store the PopAI access token in a persistent TOOLS.md file and sends selected files to PopAI/S3.
Before installing, confirm you are comfortable sending presentation topics and any selected reference files/templates to PopAI. Provide the access token via a protected environment variable or secret manager, not TOOLS.md. Review the code and provenance because the registry source and homepage are not declared.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked or overexposed PopAI token could let someone use the user's PopAI account/API access or interact with prior PopAI content.
The PopAI token is expected for the service, but recommending persistent plaintext storage in TOOLS.md can expose an account credential to future agent context, synced files, or collaborators without clear protection guidance.
Once user provides the token, set it in environment: `export POPAI_ACCESS_TOKEN=<token>` Tips: You can save the key in `TOOLS.md` for future reference.
Use an environment variable or secret manager instead of saving the token in TOOLS.md; if it has already been saved there, remove it from shared/synced files and rotate the token.
Reference documents, images, or templates may contain private or business-sensitive information that will be processed by PopAI infrastructure.
The script uploads user-provided local files/templates to a PopAI S3 endpoint for processing. This is aligned with the skill purpose, but it means file contents and filenames leave the local machine.
upload_resp = requests.post(
S3_UPLOAD_URL,
files={"file": (filename, f, content_type)},Upload only files you are comfortable sending to PopAI, and avoid confidential documents unless PopAI's terms and your organization allow it.
If the channel ID is exposed or reused unexpectedly, future actions could target an existing presentation rather than a new one.
The skill asks the agent to retain a PopAI channel identifier so it can modify the same presentation later. This is purpose-aligned, but it creates persistent context tied to a generated deck.
Save the `channel_id` from `web_url` ... for potential follow-up modifications
Store channel IDs only as needed for the active task, confirm with the user before modifying an existing deck, and avoid sharing the web URL/channel ID outside the intended audience.
Users have less external context for verifying who maintains the skill and whether the PopAI endpoints and behavior are expected.
The skill has no declared source repository or homepage, which makes independent provenance verification harder even though no remote installer is present.
Source: unknown Homepage: none
Review the included code and only use the skill if you trust the publisher and PopAI account/token flow.