Back to skill
Skillv1.1.0
ClawScan security
Ppt Afp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 4:14 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions ask the agent to read/execute local scripts and rely on API keys (GEMINI_API_KEY, GOOGLE_BASE_URL, Feishu send) but the manifest declares no required credentials or installs; the mismatch and several insecure runtime steps make this suspicious and worth manual review before use.
- Guidance
- This skill's design is inconsistent: SKILL.md requires API keys (GEMINI_API_KEY, GOOGLE_BASE_URL) and local scripts under ~/.openclaw/skills, but the manifest declares none. Before installing or running it, do the following: 1) Verify and supply only the minimal, scoped API keys (preferably scoped service accounts) and do not store broad credentials in ~/.zshrc; 2) Inspect the referenced local scripts (~/.openclaw/skills/baoyu-*) and TOOLS.md to ensure they are trusted and contain no arbitrary exec/network calls; 3) Do not run commands that set NODE_TLS_REJECT_UNAUTHORIZED=0 — this disables TLS verification and is unsafe; 4) Confirm how Feishu credentials are provided and limit their permissions; 5) Prefer running in a sandboxed/test environment first (no access to your real HOME or production credentials); and 6) Ask the author to update the manifest to declare required env vars, explain all referenced local files, and remove/justify insecure runtime flags. If you cannot validate these points, treat the skill as risky and avoid enabling it for autonomous use.
Review Dimensions
- Purpose & Capability
- concernSkill claims to auto-generate PPTs and send via Feishu, which is plausible, but the manifest declares no environment variables or credentials while SKILL.md repeatedly references GEMINI_API_KEY, GOOGLE_BASE_URL and a Feishu USER. It also expects local skill libraries under ~/.openclaw/skills/..., which are not declared. Required artifacts (API keys, local scripts) are missing from the declared requirements — this is an incoherence.
- Instruction Scope
- concernRuntime instructions tell the agent to read files under the user's home (~/.openclaw/skills/... and ~/.zshrc), create directories on the Desktop, run npx/bun to execute local TypeScript scripts, and call a Feishu send script. These steps access other skills' files, local shell config (potentially sensitive), and execute code on the machine — scope extends beyond a simple 'PPT helper' and includes local file I/O and remote API usage.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is lower risk in principle. However, the SKILL.md instructs using 'npx -y bun' to run scripts and sets NODE_TLS_REJECT_UNAUTHORIZED=0. Using npx can fetch packages at runtime and the explicit disabling of TLS validation is insecure — these runtime execution patterns raise concerns even without an explicit install step.
- Credentials
- concernThe manifest lists no required env vars or credentials, but the instructions require GEMINI_API_KEY and GOOGLE_BASE_URL (for image generation) and a Feishu user/token implied by the send script. The skill also reads ~/.zshrc for env configuration. Requesting/using these secrets without declaring them is disproportionate and opaque.
- Persistence & Privilege
- concernalways is false, but the skill's instructions read and execute scripts from ~/.openclaw/skills/* (other skills' directories). Accessing other skills' files/config is a cross-skill scope escalation risk. The skill also writes files to Desktop and system paths. Combined with autonomous invocation (platform default), these behaviors increase the blast radius if misused.