Manus on OpenClaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Manus-API purpose, but its slide-conversion helper can fetch arbitrary HTTP/HTTPS image URLs and write files despite the docs promising allowlisted HTTPS-only downloads.
Review or avoid the slide JSON-to-PPTX converter until its URL validation and filename handling are fixed. If you install the skill, use a dedicated Manus API key, verify the official HTTPS API base, protect the local config file, and install any Node dependencies from pinned trusted sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised slides JSON bundle could make the user's machine fetch unexpected external or internal URLs and potentially write/overwrite files near the chosen output path.
The slide JSON controls image URLs and slide IDs. This helper accepts non-HTTPS HTTP URLs, follows redirects without host revalidation, and writes to a path influenced by slideId, unlike the safer Python collector.
const imgUrl = obj.images?.[slideId]; ... const client = url.startsWith('https:') ? https : http; ... const imgPath = path.join(outDir, `${String(i + 1).padStart(2, '0')}_${slideId}.png`); ... await download(imgUrl, imgPath);Do not use the slide converter on untrusted JSON until it enforces HTTPS, Manus-host allowlisting, redirect revalidation, size limits, and safe filename/path sanitization.
Users may believe all downloads are constrained to safe Manus HTTPS hosts when the slide-conversion path is not.
The documentation presents a strong download-safety model, but one included downloader used by the slides workflow does not implement that model.
SKILL.md: "Downloader accepts only HTTPS URLs from allowlisted Manus-controlled hosts." / mjs: "const client = url.startsWith('https:') ? https : http;"Either update the converter to match the documented safety rules or clearly document that only the Python collector is protected and the slide converter should be treated as untrusted-input sensitive.
Anyone who can read the local config file or change the configured API base could affect or misuse Manus API access.
The skill requires a Manus API key and sends it to the configured Manus API endpoint. This is expected for the integration, but it is still delegated account authority.
SKILL.md: "MANUS_API_KEY (required, local only, stored in ~/.config/manus-openclaw-bridge/manus.env)"; manus_submit.sh: "--header \"API_KEY: ${MANUS_API_KEY}\""Use a dedicated least-privilege Manus API key, keep the config file private, and verify MANUS_API_BASE points to the official Manus endpoint.
The converter may fail or load whatever pptxgenjs version is present in the local Node environment.
The slide converter depends on an external Node package, but the artifacts provide no package manifest, lockfile, or pinned install path.
metadata: "No install spec"; scripts/manus_slides_json_to_pptx.mjs: "import PptxGenJS from 'pptxgenjs';"
Add a package manifest and lockfile or document a pinned, trusted install command for pptxgenjs.