PPT to Video（汇报视频生成）

将PPTX/PDF/HTML与背景材料自动匹配，生成1280×720分辨率、带有智能风格识别和口语化TTS的播报视频。

This skill appears to implement PPT→video generation as advertised, but review and take precautions before running: - Inspect generate.js for any places it constructs shell commands (execSync) using filenames. If filenames are interpolated into shell commands without sanitization, they can cause command injection; prefer commands invoked with argv arrays. - Don't run the tool pointed at your entire home or repository root — the script recursively scans and copies .md/.pptx/.pdf/.txt files and will therefore gather unrelated or sensitive documents. Point it only at a trusted folder. - Change the default OUTPUT_BASE or supply --output to avoid writing into the hard-coded /home/Vincent/... path left in the script. - Understand that edge-tts is a network TTS client: your text will likely be sent to external TTS services (Microsoft Edge TTS) for synthesis. If content is confidential, use an offline TTS engine or review the TTS client behavior. - Run the skill in an isolated environment (container/VM) the first time, and confirm the external commands it invokes (libreoffice, pdftotext, ffmpeg) are the expected ones. If you need a deeper audit, provide the full generate.js (untruncated) so execSync usages and any network calls can be inspected.

Type: OpenClaw Skill Name: ppt-to-video Version: 1.4.0 The skill bundle contains multiple shell injection vulnerabilities in 'scripts/generate.js' and 'scripts/extract_ppt_text.py' due to the use of 'execSync' and 'subprocess.run' with unsanitized string concatenation for shell commands. While the code's logic aligns with its stated purpose of converting presentations to videos using tools like ffmpeg and libreoffice, the lack of proper input escaping for file paths and TTS text (processed via edge-tts) poses a significant RCE risk. The script also relies on hardcoded absolute paths (e.g., '/home/Vincent/'), which is a security anti-pattern.