The skill is vulnerable to remote code execution by directly passing unsanitized user input to local Python scripts.
Claims to do
AI PPT Generator: Generate PPT using Baidu AI with intelligent template selection.
Actually does
The skill executes Python scripts (`ppt_theme_list.py`, `random_ppt_theme.py`, `generate_ppt.py`) using `python3`. It leverages a `BAIDU_API_KEY` to interact with Baidu's AI API for generating PowerPoint presentations. The skill can list templates, intelligently select one based on the topic, or use a specified template, ultimately providing a URL to the generated PPT hosted on Baidu Cloud storage.
openclaw skills install ide-rea/ai-ppt-generatorThe skill executes local Python scripts (`generate_ppt.py`, `random_ppt_theme.py`) using `python3` and passes user-provided input (e.g., 'TOPIC', 'CATEGORY') directly as command-line arguments (`--query`, `--category`). Without proper sanitization of these inputs, a malicious user could inject arbitrary shell commands, leading to remote code execution.
python3 scripts/random_ppt_theme.py --query "人工智能发展趋势报告" Run `generate_ppt.py --query "TOPIC" --tpl_id ID`
[](https://mondoo.com/ai-agent-security/skills/clawhub/ide-rea/ai-ppt-generator)<a href="https://mondoo.com/ai-agent-security/skills/clawhub/ide-rea/ai-ppt-generator"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/ide-rea/ai-ppt-generator.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/clawhub/ide-rea/ai-ppt-generator.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.