Keynote Video
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s PPT-to-video purpose is coherent, but its generator builds shell commands from user-controlled paths and config values in a way that could run unintended commands.
Review before installing or running. The workflow is understandable, but only use trusted presentation filenames and trusted project/output paths, avoid sensitive decks unless the TTS data flow is acceptable, and prefer a patched version that uses safe process spawning instead of shell command strings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously named presentation file, output path, or edited/generated spec value could cause the user’s machine to run unintended shell commands during video generation.
The script invokes a shell with interpolated user-controlled file paths and spec-derived voice/rate values. Double quotes do not safely neutralize embedded quotes, command substitutions, or unvalidated option values, and voice/rate are not quoted or whitelisted.
execSync(`libreoffice --headless --convert-to pdf --outdir "${outputDir}" "${pptPath}"`, ...); ... `edge-tts --text "${escapeForShell(scriptText)}" --voice ${voice} --rate ${rate} --write-media "${audioFile}"`Replace execSync shell strings with execFileSync/spawnSync argument arrays, validate and normalize all paths inside the project directory, whitelist voice and rate values, and reject shell metacharacters in user-controlled fields.
Users may not see dependency and package-install requirements before installation, and the listed packages are not pinned in the provided artifacts.
The skill documents external package/system dependency installation, while the registry metadata declares no required binaries and there is no install spec.
pip install python-pptx ... pip install PyMuPDF ... sudo apt-get install poppler-utils
Declare required binaries and dependencies in metadata or an install spec, pin package versions where practical, and keep setup commands clearly user-approved.
Confidential slide content may be processed by the TTS provider/toolchain during audio generation.
The generated narration text, which may be derived from the user’s slides or background materials, is sent to the edge-tts tool for speech synthesis; the documentation also notes checking the network when edge-tts fails.
`edge-tts --text "${escapeForShell(scriptText)}" --voice ${voice} --rate ${rate} --write-media "${audioFile}"`Warn users before processing sensitive decks, document the TTS data flow clearly, and offer or recommend an approved local/private TTS option for confidential material.