ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sum2Slides Lite

v1.1.6

对话总结成专业PPT,支持纯本地处理和可选飞书上传 (v1.1.6)

0· 165·0 current·0 all-time
byWei Wu@wwumit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (convert dialogue to PPT with optional Feishu upload) matches the code and docs: PPT generators, content planner, and an explicit platforms/feishu implementation are present. The SKILL.md and many security docs plainly state Feishu credentials (FEISHU_APP_ID / FEISHU_APP_SECRET) are optional and only needed for upload functionality.
Instruction Scope
SKILL.md restricts network activity to an opt-in Feishu mode and instructs the user to keep feishu.enabled=false and not set FEISHU_* env vars for pure-local operation. The runtime instructions ask users to run local verification/test scripts and to manually copy or symlink files into the skills folder; they do not direct arbitrary file/system/network access beyond the stated functionality.
Install Mechanism
Registry metadata shows no install spec (instruction-only), and SKILL.md gives manual install steps. However, the package contains many code files (not truly 'no-code'), so installation is manual/copy-based. This is lower-risk than a remote installer, but requires the user to perform the manual steps and to review files before copying.
Credentials
No required environment variables are declared and no primary credential is required. The only credentials the code references are FEISHU_APP_ID/FEISHU_APP_SECRET, which are documented as optional and only needed for Feishu uploads — proportional to the stated optional feature.
Persistence & Privilege
The skill is not force-included (always:false) and is user-invocable. Installation is manual (copy/symlink) per instructions; there is no code in the package that requests elevated privileges or modifies other skills' configuration in the provided files.
Assessment
This package appears to implement what it claims: a local PPT generator with an optional Feishu uploader. Before installing: 1) review the code (especially platforms/feishu/feishu_platform.py) to confirm you understand where network calls occur; 2) run the included INSTALL_VERIFICATION.py, quick_permission_check.py, and simple_sum2slides_test.py inside an isolated test directory; 3) keep feishu.enabled=false and do not set FEISHU_APP_ID/FEISHU_APP_SECRET unless you trust the package and want upload functionality; 4) prefer manual copy or symlink installation (as documented) instead of any automated installer. I give medium confidence because many files were truncated/omitted for review — if you want a higher-confidence assessment, provide the omitted files (or search them for exec/eval/dynamic network endpoints and unexpected credential accesses).

Like a lobster shell, security has layers — review code before you run it.

latestvk97eqbtz4bavmhvjyz9g7rdx4s834qpd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments