ClawHub
Back to skill
v1.0.0

pptgenerator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:29 AM.

Analysis

The skill appears aimed at PPT generation, but it sends presentation work to a different external domain than the one advertised and also stores optional API keys and history locally.

GuidanceReview this skill before installing. Use it only if you trust the external PPT service and have verified the pptultra.com versus ultrappt.com domain mismatch. Do not provide confidential presentation content or API keys unless you are comfortable with remote processing and local history/config storage.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/generate_ppt.py
API_URL = "https://www.ultrappt.com/api/v1/agent/skill/chat"

The skill text advertises being powered by pptultra.com, but the script is configured to use an ultrappt.com API endpoint, which is a materially different data destination for user PPT prompts and content.

User impactA user may think they are using one branded service while their presentation content is sent to another domain.
RecommendationVerify that pptultra.com and ultrappt.com are the intended same provider before using this with private or business-sensitive presentations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
scripts/generate_ppt.py
CONFIG_FILE = os.path.join(_SKILL_DIR, ".config.json") ... key = os.environ.get("PPT_API_KEY", "").strip() ... cfg["api_key"] = api_key

The script supports reading an API key from an environment variable and saving it to a local config file, while the registry metadata declares no required env vars, credentials, or config paths.

User impactA service API key could be stored locally in the skill directory without the user realizing that credential storage is part of the skill.
RecommendationOnly provide an API key if you trust the provider, and consider using a limited-scope key; remove the local .config.json file if you no longer want the key stored.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/generate_ppt.py
"prompt": prompt, "share_url": result.get("share_url", ""), "summary": result.get("summary", ""), ... history = history[-20:]

The script keeps a local history of recent prompts, generated share links, and summaries for later use; it is bounded to 20 entries but not clearly disclosed in SKILL.md.

User impactPrivate presentation topics, summaries, or share links may remain in a local history file after generation.
RecommendationAvoid using confidential content unless you are comfortable with local history retention, and delete the .history.json file when needed.