Ppt Video

将PPTX/PDF/HTML演示文稿及背景材料自动转换成1280×720口语化播报视频，支持内容风格识别和语速调节。

This skill appears to do what it claims, but proceed with caution: 1) Provide a tightly-scoped input directory containing only files you intend the skill to process (avoid passing root or broad workspace paths). 2) The Node script uses execSync with concatenated command strings; malicious or specially-crafted filenames might cause command injection or break quoting—sanitize filenames before running, or run the skill in a sandboxed environment (container or VM). 3) The docs disagree on resolution and framerate—verify the produced video matches your requirements before using in production. 4) edge-tts likely requires network access; confirm privacy/usage expectations for TTS output. 5) If you need higher assurance, review the remainder of generate.js (the truncated part) for any network calls, hidden endpoints, or remote uploads. If you lack the ability to sandbox, consider running only on non-sensitive test material or asking the author for clarifications/patches that avoid shell concatenation (use execFile or spawn with argument arrays and strict sanitization).

Type: OpenClaw Skill Name: ppt-video Version: 1.4.1 The skill bundle provides a functional pipeline for converting presentations to videos using Node.js, Python, and external CLI tools like FFmpeg and edge-tts. It is classified as suspicious due to significant command injection vulnerabilities in `scripts/generate.js`. The script uses `execSync` to execute shell commands with strings constructed from user-provided file content and paths. While it attempts basic sanitization by removing backticks and escaping double quotes, it fails to sanitize other shell metacharacters (notably `$`), which could allow arbitrary code execution via command substitution if a malicious input file is processed. Repository: https://github.com/vincentlau2046-sudo/ppt-video.git.