PPT压缩大师!自动压缩PPT里面的视频和图片素材,压缩率高达 90%!
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is aligned with compressing PPT files, but it asks the agent to run local code that can download and execute unverified third-party binaries and uses unsafe Python command templates with user-supplied paths.
Use this skill only if you are comfortable running local Python code. Before using it, prefer installing ffmpeg yourself from a trusted source, avoid automatic dependency downloads when possible, and do not use suspiciously named or untrusted PPT files/paths.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a download source or archive is compromised, the user's agent could later run a malicious local executable while compressing a PPT.
The downloader fetches ffmpeg archives from third-party URLs, extracts them into the skill directory, and makes copied binaries executable; the artifact does not show checksum, signature, or pinned-version verification.
'https://www.gyan.dev/ffmpeg/builds/ffmpeg-release-essentials.zip' ... urllib.request.urlretrieve(url, dest_path) ... tf.extractall(SCRIPT_DIR) ... make_executable(dst)
Prefer a system-installed ffmpeg from a trusted package manager, or require pinned versions with published checksums/signatures before extracting and running downloaded binaries.
A maliciously crafted message or filename could cause the agent to execute unintended Python code under the user's account.
The execution instructions embed user-controlled message text and file paths directly into Python source passed to python -c. Raw strings do not protect against all embedded quote or triple-quote cases.
python -c "... extract_pptx_paths(r'''<用户的完整消息>''') ..." ... python -c "... run(r'<验证后的路径>')"
Invoke the provided script with arguments instead of generating Python source, or pass paths through a safe argument array/temporary file and avoid interpolating user text into python -c.
Running the skill may change the user's Python environment and depend on whatever Pillow package version pip resolves at that time.
The script installs Pillow automatically if missing. This is purpose-aligned for image compression and disclosed in SKILL.md, but it is an unpinned runtime package install.
[sys.executable, '-m', 'pip', 'install', 'Pillow', '-q']
Use a virtual environment or declared install step with a pinned Pillow version, and ask for user approval before installing packages.