Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
pptgenerator
v1.0.0支持HTML格式PPT的智能生成与编辑,涵盖通用演示、总结汇报、教学课件、公众演讲等场景,提供换风格、换语种、文本润色、信息核验等功能;当用户需要生成PPT/演示文稿/幻灯片,或对现有PPT执行换风格/换语种/润色/核验时使用。
⭐ 1· 77·0 current·0 all-time
by@yyc529
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included script: the skill calls a remote presentation-generation API and offers generate/edit flows. However the SKILL.md advertises pptultra.com/pptultra branding while the script posts to https://www.ultrappt.com — a domain mismatch that is unexplained and worth verifying.
Instruction Scope
SKILL.md instructs running scripts and passing --current-ppt to edit existing presentations. The documentation does not explicitly warn that provided PPT files/content may be uploaded to a remote API. The script clearly builds requests to a remote endpoint, so supplying arbitrary local file paths could transmit their contents off the machine—this is scope creep relative to a local-only editor and a privacy risk if sensitive files are provided.
Install Mechanism
No install spec (instruction-only) and only a Python script is included; dependency is requests. There is no downloaded binary or opaque installer. This is lower-risk than an arbitrary remote install, but the script will perform network I/O when run.
Credentials
Registry metadata declares no required env vars, but the script reads an environment variable PPT_API_KEY (and can save that key to .config.json). That mismatch is incoherent: if an API key can be used/saved, it should be declared and documented. Persisting an API key into a config file inside the skill directory may unintentionally store secrets in plaintext.
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and only writes two local files (.config.json and .history.json) in the skill directory. Those local writes are reasonable for caching but may store API keys and history.
What to consider before installing
This skill will send prompts and (likely) provided PPT content to a remote service (the script posts to https://www.ultrappt.com). Before installing or running: 1) Verify the publisher and confirm which domain is the official backend (pptultra.com vs ultrappt.com). 2) Do not pass sensitive files or system configuration paths (passwords, private keys, or internal documents) via --current-ppt; the script may upload them. 3) If you supply an API key (PPT_API_KEY), know it may be saved in plaintext to .config.json inside the skill directory. 4) If you need stronger guarantees, request the author's privacy/security statement or review the rest of the script to confirm exactly what is uploaded. Given the undeclared environment usage and domain mismatch, treat this skill as untrusted until those issues are clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk9729nx0e6zdc5ptmhp0f0t7yn83qpcv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.