Back to skill
Skillv1.0.7
ClawScan security
aippt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 21, 2026, 8:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (generating PPTs via the jcppt.com API), asks only for a single API token and python3, and the included scripts call the documented remote endpoints — nothing in the package indicates covert or unrelated access.
- Guidance
- This skill appears to do what it says: it sends generated Markdown (and, in practice, any user-supplied document text the agent converts) to the aippt/jcppt API to produce PPTs. Before installing, consider: (1) You must provide AIPPT_ACCESS_TOKEN from jcppt.com — only do this if you trust that service. (2) The agent (or a separate file-parsing skill) will transmit your document contents to https://ppt-api.7niuai.com / https://jcppt.com — do not send sensitive or confidential documents unless you accept that transmission. (3) Ensure the runtime has Python and the 'requests' library available (the scripts assume requests is installed). (4) If you need offline or private generation, this skill is not suitable. Review jcppt.com's privacy/terms if you plan to upload proprietary content.
Review Dimensions
- Purpose & Capability
- okName/description (auto-generate PPT) aligns with requested items: python3 and an AIPPT_ACCESS_TOKEN for the aippt/jcppt service. The network endpoints and token usage match the documented service (jcppt.com / ppt-api.7niuai.com).
- Instruction Scope
- noteSKILL.md stays within PPT generation workflow (prompt optimization, markdown generation, selecting a template, calling the API). It does mention parsing user files via a separate 'reading file' skill (not bundled) — which implies that user file contents may be converted to Markdown and then sent to the remote API; the skill itself does not read arbitrary local files, but the overall workflow will transmit user-provided content to jcppt.com.
- Install Mechanism
- noteNo install spec (instruction-only plus small helper scripts) — low install risk. One inconsistency: the bundled Python scripts use the 'requests' library but the skill does not declare installing that dependency or verify its presence.
- Credentials
- okOnly a single API credential (AIPPT_ACCESS_TOKEN) is required and is justified by the stated purpose. No unrelated secrets, system config paths, or broad credential requests are present.
- Persistence & Privilege
- okalways:false and normal autonomous invocation settings. The skill does not request permanent system-wide presence or modify other skills/config; no elevated privileges are requested.