Is ai-ppt-generate safe?

https://clawhub.ai/jlpJavaWayUp/ai-ppt-generate

72
CAUTION

This skill is a legitimate wrapper around Baidu's Qianfan AI PPT generation API, but it raises significant data exfiltration concerns. All user content and API keys are transmitted to Baidu's cloud infrastructure in China. The arbitrary URL parameters (resource_url, custom_tpl_url) create potential data exfiltration channels, and the shell-executed Python scripts with unrestricted network access expand the attack surface. Installation monitoring showed access to .aws/credentials, though this appears attributable to the openclaw runtime rather than the skill itself.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH API key sent to third-party external service -30

All three Python scripts transmit the BAIDU_API_KEY environment variable to qianfan.baidubce.com via Authorization header. The user's API key is sent to Baidu's cloud infrastructure on every invocation. There is no validation that the endpoint hasn't been tampered with or that the key isn't being logged server-side.

HIGH Arbitrary URL parameters enable data exfiltration channels -25

The resource_url and custom_tpl_url parameters accept arbitrary URLs that are passed directly to the Baidu API. An agent or malicious prompt could craft these URLs to encode sensitive data (e.g., encoding file contents or environment variables in URL query parameters) and send them to an attacker-controlled server via the Baidu API's fetch mechanism.

MEDIUM Shell execution of Python scripts with network access -25

The skill instructs the agent to execute Python scripts via shell commands (e.g., 'python3 scripts/ppt_generate.py --query_id ...'). These scripts have unrestricted network access via the requests library and could be modified post-install to execute arbitrary code or exfiltrate data.

MEDIUM No input sanitization on command-line arguments -20

The Python scripts use argparse to accept user-provided strings that are passed directly to the API. While argparse itself provides some protection, the outline parameter in ppt_generate.py accepts arbitrary markdown content that is sent to the external API without sanitization.

MEDIUM Sensitive file access during installation -25

Filesystem monitoring detected access to /home/oc-exec/.aws/credentials and /home/oc-exec/.env during the installation process. While this appears to be the openclaw runtime reading its configuration rather than the skill itself, the .aws/credentials access is notable and unexpected for a PPT generation skill installation.

LOW Skill requests python binary dependency -10

The skill metadata declares a requirement for the python binary ("bins": ["python"]). This is expected for the skill's functionality but expands the agent's attack surface by confirming Python availability for potential follow-up exploitation.

LOW Data sovereignty concern — Baidu cloud service -15

All PPT generation data (including user queries, outlines, and referenced resources) is transmitted to Baidu's Qianfan cloud platform hosted in China. Users should be aware that their content and API usage data may be subject to Chinese data retention and access laws.

INFO SSE streaming responses parsed without validation -5

The outline generation and PPT generation scripts parse server-sent events (SSE) by stripping the 'data:' prefix and JSON-parsing the remainder. A compromised or malicious API response could inject unexpected data structures, though the impact is limited to stdout display.