McKinsey PPT Design Framework

Shell command execution function detected

subprocess.run

The skill explicitly requires the 'Bash' tool, enabling arbitrary command execution on the host system. This capability can be leveraged for reconnaissance, data exfiltration, persistence, or system compromise.

Required tools: Read, Write, Bash

The skill requires 'Write' access, which is necessary for its function (saving PPTX files). However, this capability can be abused to write malicious scripts, modify system configuration files, or establish persistence.

Required tools: Read, Write, Bash

The skill requires 'Read' access, which could be abused to read sensitive files from the file system (e.g., configuration files, user data) for reconnaissance or data exfiltration.

Required tools: Read, Write, Bash

The `deliver_to_channel` function uses `subprocess.run` to send the generated PPTX via an external `openclaw` command. An attacker could manipulate the `outpath` variable or the command arguments to exfiltrate other sensitive files read from the system.

def deliver_to_channel(outpath, slide_count): ... subprocess.run(['openclaw', 'message', 'send', '--media', outpath, ...])

The skill includes a `deliver_to_channel()` helper that executes an external binary (`openclaw`) via `subprocess.run()` with user-influenced path parameters. The `outpath` argument is derived from agent-generated content and passed unsanitized to the shell command, creating a potential command injection vector. Additionally, this trains the agent to routinely spawn external processes as part of its workflow.

result = subprocess.run(
            ['openclaw', 'message', 'send',
             '--media', outpath,
             '--message', caption],
            capture_output=True, text=True, timeout=30
        )

The `deliver_to_channel()` function unconditionally sends the generated file to an external channel using the `openclaw` CLI. This pattern normalizes exfiltrating agent-generated artifacts to external messaging systems. If `outpath` can be influenced to point to sensitive files, or if the `openclaw` tool is compromised, arbitrary data could be sent outside the system. The skill explicitly instructs agents to 'always attempt delivery' after every generation.

result = subprocess.run(
            ['openclaw', 'message', 'send',
             '--media', outpath,
             '--message', caption],
            capture_output=True, text=True, timeout=30
        )
...
1. **Always attempt delivery** — after every successful generation, call `deliver_to_channel()`

The skill introduces a dependency on an undeclared external binary `openclaw` that is not listed in the skill's declared required tools (Read, Write, Bash). This binary is invoked with file paths and message content, normalizing the use of an unvetted tool that could be a supply chain attack vector or a mechanism for exfiltration. The skill's frontmatter lists 'Bash' as a required tool, which implicitly enables arbitrary command execution.

**Required tools**: Read, Write, Bash
...
if not shutil.which('openclaw'):
...
['openclaw', 'message', 'send', '--media', outpath, '--message', caption]

The `full_cleanup()` function reads, parses, and rewrites all XML files within the PPTX ZIP archive using lxml. While the stated purpose is removing theme artifacts, this pattern of arbitrary ZIP/XML manipulation could be repurposed or extended to inject content into the archive. The function operates on all XML files without restriction, including slide content files.

def full_cleanup(outpath):
    """Remove ALL p:style from every slide + theme shadows/3D."""
    tmppath = outpath + '.tmp'
    with zipfile.ZipFile(outpath, 'r') as zin:
        with zipfile.ZipFile(tmppath, 'w', zipfile.ZIP_DEFLATED) as zout:
            for item in zin.infolist():
                data = zin.read(item.filename)
                if item.filename.endswith('.xml'):
                    root = etree.fromstring(data)