Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
md-to-nanobanana-ppt
v1.0.0将Markdown分析报告转换为完整PPT:先提供5种以上配色方案供用户选择,再拆分为不超过20张幻灯片,生成对应的 nano-banana 图片提示词,调用 nano-banana2-apiyi 出图,最后合成 `.pptx` 并按文件大小分流交付。当用户需要把 Markdown 报告转成 PPT、从现有报告生...
⭐ 1· 73·0 current·0 all-time
byHeaven@yunni123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the instructions (convert MD → PPT with nano-banana images, offer color schemes, split to ≤20 slides, choose delivery method). However, the skill expects access to external services (nano-banana2-apiyi for image generation, Feishu for progress messages, and email-mail-master/QQ email for large-file delivery) yet declares no required environment variables, credentials, or config paths. A legitimate implementation would need API keys/webhook tokens; omission is a coherence problem.
Instruction Scope
SKILL.md instructs the agent to read user-provided Markdown, create plan.md, write all outputs to a hard-coded path (~/.openclaw/media/ai-choise/md-to-nanobanana-ppt/), and proactively send progress via Feishu and call external image/email services. These instructions go beyond simple local processing and require network access and credentials that are not declared. The hard-coded output directory in the user's home is also noteworthy and should be explicit/optional.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install mechanism. Nothing is written to disk by an installer, though the runtime instructions do write files during execution.
Credentials
The runtime clearly needs credentials or webhooks (nano-banana API key, Feishu webhook/token, and QQ/email credentials or delegated email-sending skill configuration) but requires.env lists nothing. That is disproportionate and opaque: either the implementer expects platform-provided implicit credentials (not documented) or they forgot to declare required secrets. Both are problematic for security and user consent.
Persistence & Privilege
always is false and there is no install-time persistence. The skill will write files into ~/.openclaw/media/..., create plan.md, and invoke other services/skills at runtime. Those behaviors are not privileged changes to system-wide settings, but they do create persistent data in a hard-coded user path and trigger external communications — the user should be aware and consent to that.
What to consider before installing
This skill mostly does what it says (MD → PPT with AI images), but it expects to call external services (nano-banana2-apiyi), send progress to Feishu, and use an email-sending skill — yet it declares no API keys or webhooks. Before installing/use, ask the publisher to: (1) list all required credentials and endpoints (nano-banana API key(s), Feishu webhook/token, email-mail-master configuration/QQ credentials); (2) explain where and why files are written (confirm or change the hard-coded ~/.openclaw/media/... path); (3) describe what data is sent to external services and obtain explicit consent for sending report content to third-party image-generation APIs; (4) confirm whether the platform will supply any implicit credentials or if the user must provide them; and (5) verify the trustworthiness and scope of the email-mail-master skill. If the developer cannot provide clear answers or if you cannot supply/inspect the required credentials, do not enable this skill, or run it only in a tightly controlled sandbox with network access restricted to known endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk9797ec0kbjc7tf62576zegyw5843q7y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.