pptx-analysis 安全扫描报告 — 低风险 | ClawSafe

15 /100

pptx-analysis

Analyze and extract structured content from PowerPoint (.pptx) presentations using MinerU. Returns Markdown with slide content and layout preserved.

Pure documentation skill describing a legitimate open-source CLI tool (MinerU) with no executable code, scripts, or hidden functionality.

技能名称pptx-analysis

分析耗时28.1s

引擎pi

✓

可以安装

No immediate action required. Consider adding an explicit allowed-tools declaration in SKILL.md for completeness.

安全发现 2 项

严重性	安全发现	位置
低危	Missing allowed-tools declaration SKILL.md does not declare any allowed-tools permissions despite the skill implicitly requiring filesystem:READ (to read .pptx), filesystem:WRITE (for -o output), shell:WRITE (for CLI invocation), and potentially network:READ (for URL input). `--- name: pptx-analysis ...` → Add an allowed-tools section to SKILL.md listing required permissions (filesystem:READ, filesystem:WRITE, shell:WRITE, network:READ) for full transparency.	`SKILL.md:1`
低危	External URLs in skill documentation Skill references https://mineru.net and https://mineru.net/apiManage/token. These are informational links for token registration and are not actively called by the skill. `homepage: https://mineru.net` → No action needed — these are standard documentation URLs. Flagged as informational IOCs.	`SKILL.md:4`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	SKILL.md: CLI reads .pptx files (filesystem:READ implied by read operations)
文件系统	`NONE`	`WRITE`	✓ 一致	SKILL.md: CLI outputs to directory with -o flag (filesystem:WRITE implied)
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md: 'Supported input: .pptx (local file or URL)' suggests network:READ cap…
命令执行	`NONE`	`WRITE`	✓ 一致	SKILL.md: Documents npm/go install and CLI command execution (shell:WRITE implie…

2 项发现

🔗

中危外部 URL 外部 URL

https://mineru.net

SKILL.md:4

🔗

中危外部 URL 外部 URL

https://mineru.net/apiManage/token

SKILL.md:45

1 文件 · 3.0 KB · 59 行

Markdown 1f · 59L

└─ 📝 SKILL.md Markdown 59L · 3.0 KB

✓ No executable code or scripts present — skill is purely declarative documentation

✓ No base64, obfuscation, or eval patterns detected

✓ No credential harvesting or environment variable exfiltration

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or HTML

✓ References a legitimate, well-known open-source project (MinerU by OpenDataLab, Shanghai AI Lab)

✓ No dependency files with unpinned or vulnerable packages