pptx-analysis Security Report — Low Risk | ClawSafe

15 /100

pptx-analysis

Analyze and extract structured content from PowerPoint (.pptx) presentations using MinerU. Returns Markdown with slide content and layout preserved.

Pure documentation skill describing a legitimate open-source CLI tool (MinerU) with no executable code, scripts, or hidden functionality.

Skill Namepptx-analysis

Duration28.1s

Enginepi

✓

Safe to install

No immediate action required. Consider adding an explicit allowed-tools declaration in SKILL.md for completeness.

Findings 2 items

Severity	Finding	Location
Low	Missing allowed-tools declaration SKILL.md does not declare any allowed-tools permissions despite the skill implicitly requiring filesystem:READ (to read .pptx), filesystem:WRITE (for -o output), shell:WRITE (for CLI invocation), and potentially network:READ (for URL input). `--- name: pptx-analysis ...` → Add an allowed-tools section to SKILL.md listing required permissions (filesystem:READ, filesystem:WRITE, shell:WRITE, network:READ) for full transparency.	`SKILL.md:1`
Low	External URLs in skill documentation Skill references https://mineru.net and https://mineru.net/apiManage/token. These are informational links for token registration and are not actively called by the skill. `homepage: https://mineru.net` → No action needed — these are standard documentation URLs. Flagged as informational IOCs.	`SKILL.md:4`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	SKILL.md: CLI reads .pptx files (filesystem:READ implied by read operations)
Filesystem	`NONE`	`WRITE`	✓ Aligned	SKILL.md: CLI outputs to directory with -o flag (filesystem:WRITE implied)
Network	`NONE`	`READ`	✓ Aligned	SKILL.md: 'Supported input: .pptx (local file or URL)' suggests network:READ cap…
Shell	`NONE`	`WRITE`	✓ Aligned	SKILL.md: Documents npm/go install and CLI command execution (shell:WRITE implie…

2 findings

🔗

Medium External URL 外部 URL

https://mineru.net

SKILL.md:4

🔗

Medium External URL 外部 URL

https://mineru.net/apiManage/token

SKILL.md:45

1 files · 3.0 KB · 59 lines

Markdown 1f · 59L

└─ 📝 SKILL.md Markdown 59L · 3.0 KB

✓ No executable code or scripts present — skill is purely declarative documentation

✓ No base64, obfuscation, or eval patterns detected

✓ No credential harvesting or environment variable exfiltration

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or HTML

✓ References a legitimate, well-known open-source project (MinerU by OpenDataLab, Shanghai AI Lab)

✓ No dependency files with unpinned or vulnerable packages