Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
powerpoint-generator
v1.0.1Professional full-process PPT presentation AI generation assistant. Simulates the complete workflow of a top-tier PPT design company (requirements research -...
⭐ 1· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (PPT generation) matches the included code (html→svg→png→pptx scripts, style/prompt references). However the registry metadata declares no required binaries, env vars, or install steps while SKILL.md and package.json clearly require Node.js (>=18), Python (>=3.8), npm packages (puppeteer, dom-to-svg, etc.) and pip packages (python-pptx, lxml, Pillow). This mismatch (no declared requirements vs. explicit runtime dependencies and package.json) is an incoherence that should be resolved before trusting the skill.
Instruction Scope
SKILL.md instructs the agent/user to install global npm/pip packages, set environment variables (e.g., PUPPETEER_DOWNLOAD_HOST), use system Chrome fallback (/usr/bin/google-chrome), write outputs to ppt-output/ in the user's working directory, download images (Unsplash or generated), and execute multiple Python/Node scripts in the repository. These instructions go beyond a simple in-chat helper: they perform network downloads, write files, and execute local scripts. While consistent with the skill's purpose, they expand the agent's runtime scope and require inspection of the bundled scripts before execution.
Install Mechanism
There is no install spec in the registry, yet package.json and SKILL.md expect npm/pip installation and puppeteer will download a Chromium binary (SKILL.md warns about China mirrors). The lack of an explicit install section in the skill registry combined with instructions to run global installs and to download browser binaries increases supply-chain and operational risk (unexpected network downloads and binaries executed locally).
Credentials
Declared required env vars: none. But SKILL.md mentions optional/required environment settings: PUPPETEER_DOWNLOAD_HOST (recommended), a possible UNSPLASH_ACCESS_KEY for image sourcing, and suggests storing values in a .env. The skill will behave differently depending on these env vars. The absence of those env vars in the registry metadata is an inconsistency; optional keys (Unsplash) could still be sensitive and should be declared.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills, and the registry flags are defaults (user-invocable, model invocation allowed). No evidence of attempts to gain permanent elevated presence in the agent platform. The main privilege is the ability to execute local scripts and write outputs to the working directory, which is expected for this tool but should be limited to an isolated environment.
What to consider before installing
This skill appears to implement what it promises (a full HTML→SVG/PNG→PPTX pipeline) but the package and runtime requirements are not declared in the registry entry. Before installing or running it: 1) Inspect the bundled Python/Node scripts (html2svg.py, svg2pptx.py, resource_loader.py, subagent_logger.py, etc.) for any network calls, unexpected external endpoints, or credential use. 2) Do not run npm/pip installs or execute the scripts on a machine with sensitive data; use an isolated container or VM. 3) Be cautious about providing any API keys (e.g., UNSPLASH_ACCESS_KEY) — only provide them if you trust the code and need that feature. 4) Ask the publisher for a homepage/source repo and an explicit install spec (declared dependencies and env vars). If you cannot validate the code, prefer running the skill in a sandboxed environment or decline installation.Like a lobster shell, security has layers — review code before you run it.
latestvk975prsqs9v0x0t19yp7vrtcjd84kgn7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.