ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

解决方案专家

v1.0.0

Turn customer background, current problems, and target requirements into a consulting-grade solution narrative and PPT-ready JSON outline. Use when Codex nee...

0· 100·0 current·0 all-time
by@renqiukai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (consulting solution -> PPT JSON) align with the SKILL.md: it specifies extracting business context, producing a constrained JSON schema, and optionally converting that JSON to a .pptx. Nothing in the instructions asks for unrelated cloud credentials or external services.
!
Instruction Scope
The instructions explicitly tell the agent to read local files (e.g., .docx, .md) and to run a local converter: python3 工具/generate_ppt_from_json.py <input.json> <output.pptx>. Because the skill is instruction-only and the referenced tools/scripts are not included in the skill bundle, the agent will attempt to access workspace files and execute local code whose contents are unknown. This is within the skill's claimed purpose but increases risk: review any local scripts before allowing execution and limit which files the agent may open.
Install Mechanism
No install spec and no external downloads — lowest install risk. However, the runtime workflow expects local Python scripts and template files in the workspace; those files are not part of the skill bundle, so their presence and safety must be verified independently.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to its stated purpose.
Persistence & Privilege
always is false and there is no request to modify other skills or global agent settings. The skill does instruct writing JSON and PPT files to the working directory, which is expected for its function.
What to consider before installing
This skill appears coherent for generating consulting-style PPT JSON and optionally a PPT, but it tells the agent to read local files and run local Python scripts that are not packaged with the skill. Before installing or invoking it: 1) Confirm the workspace actually contains 工具/generate_ppt_from_json.py, 工具/ppt_generator.py, and the template files and review their source code to ensure they are safe. 2) When providing file inputs, only allow the single intended document (don’t allow the agent to crawl arbitrary directories). 3) If you cannot or do not want the agent to execute local scripts, request only the JSON output (avoid the PPT conversion step). 4) Run the conversion in a sandboxed environment or with least-privilege file permissions. If you want higher assurance, ask the skill author to bundle or publish the converter code so it can be reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bnm6x52a4zmt96xwc05phq9834226

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments