ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Professional PPTX Maker

v1.0.2

Creates professional PowerPoint presentations with mandatory charts, tables, expert commentary, MECE structure, and standardized themed layouts.

0· 55·0 current·0 all-time
by@vincentlau2046-sudo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The files implement a PowerPoint generator (parsing, planning, validation, rendering via python-pptx) which matches the skill description. Minor packaging inconsistencies: README and SKILL.md describe a 'professional-pptx-maker' CLI, but repository lacks a clear executable wrapper script named that; instead there are Python entry scripts (main.py, professional_main.py). package.json lists 'python-pptx' as an npm dependency (nonsensical), suggesting sloppy packaging rather than deliberate maliciousness.
Instruction Scope
SKILL.md runtime instructions are scoped to reading an input markdown file, parsing it, and producing a .pptx. It does not instruct the agent to read unrelated system files or network endpoints. However, SKILL.md and README require fonts (Microsoft YaHei, Poppins, Roboto) and assume system dependencies without declaring how to obtain them. The provided install.sh (not part of registry install spec) will copy repository files into ~/.openclaw and create a symlink — an action outside the core task of rendering PPTX that you should inspect before running.
!
Install Mechanism
Registry metadata lists no install spec, but the package contains install.sh that copies all files (cp -r ./*) into ~/.openclaw/workspace/skills and creates a symlink in ~/.openclaw/bin. That script will perform filesystem writes if executed. Also package.json includes python-pptx as an npm dependency (incorrect host), indicating sloppy or inconsistent packaging. The absence of an official install instruction from the registry combined with an executable install script in the repo is a caution point: don't run install.sh unless you trust the source and inspected it fully.
Credentials
The skill declares no required environment variables or credentials, and the code snippets shown do not access external secrets. It does require system fonts and python-pptx (a Python library) to produce the intended output; those are reasonable for this functionality but are not enforced by registry metadata.
Persistence & Privilege
The skill does not request always:true and does not declare elevated privileges. The included install.sh writes into the user's ~/.openclaw workspace and creates a symlink there (normal for installing a skill), which is a local persistence action but expected for user-installed skills. Autonomous invocation (disable-model-invocation false) is the platform default and is not by itself a red flag.
What to consider before installing
Summary of what to consider before installing or running: - Source trust: The repo/source is 'unknown' and the package shows sloppy packaging (e.g., python-pptx listed in package.json). Only proceed if you trust the author or have reviewed all files. - Do not run install.sh blindly: it copies all files into ~/.openclaw and symlinks an executable name that may not exist. Inspect install.sh and the files it will copy before executing. - Missing CLI wrapper: The README/usage shows a 'professional-pptx-maker' command, but the package provides Python scripts (main.py / professional_main.py). You may need to run python3 professional_main.py rather than a non-existent binary. - Verify templates/parsers for network I/O: Before running, grep files like template_extractor.py, smart_parser.py, quality_validator.py for any network calls (requests, urllib, socket, subprocess invoking curl/git) or hidden endpoints. The truncated files shown do not have network calls, but some omitted files remain — inspect them. - Test in a sandbox: Run the tool in an isolated environment (temporary user account, container, or VM). Use --dry_run if available and point input/output to a disposable directory. - Install dependencies manually: pip install python-pptx in a virtualenv, and install required fonts manually if you need correct rendering. - Inspect slides.json output first: Run the generator to produce the intermediate slides.json and review it before allowing it to write or save the final .pptx. If you want, I can: (1) scan the remaining omitted files for network or env access patterns, (2) produce commands to safely run the tool in a container, or (3) list exact grep patterns to search the repo for risky behavior.
scripts/generate.js:35
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0bp3n8gxkvp298t9hxn3n9843nw2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments