Extract content from PowerPoint (.ppt, .pptx) presentations to Markdown using MinerU. Reads slide content and converts it to structured, readable output. Fea...
Security Analysis
high confidenceThe skill's requirements and runtime instructions match its stated purpose (PowerPoint extraction via the MinerU CLI) and request only a single service token and the MinerU CLI binary.
Name/description (Ppt Extract) align with required binary (mineru-open-api) and MINERU_TOKEN. Requested binaries and env var are expected for a CLI that delegates extraction to the MinerU service. No unrelated credentials or binaries are requested.
SKILL.md instructs the agent to run mineru-open-api commands against local files or URLs and to use MINERU_TOKEN for auth. This is within scope, but the instructions do not explicitly state whether extraction is performed locally or uploaded to MinerU servers — if the CLI uploads files, that means PPT contents may be transmitted off-host. Verify that behavior if you will process sensitive slides.
Install options are standard package installs: npm package 'mineru-open-api' or go install from a GitHub repo. Both are expected for a CLI tool; no arbitrary download URLs, shorteners, or archive extracts are used in the spec.
Only MINERU_TOKEN is required and is declared as primaryEnv. That is proportional for a tool that authenticates to an external MinerU service. No other secrets or unrelated environment variables are requested.
Skill is not forced-always (always:false) and requests no filesystem or agent-wide config paths. It is user-invocable with normal autonomous-invocation enabled by default — the typical posture for skills.
Guidance
Before installing: (1) Confirm you trust MinerU/mineru-open-api (review its GitHub repo and npm package) and the token creation page (https://mineru.net/apiManage/token). (2) Verify whether the CLI extracts locally or uploads files to MinerU servers — avoid sending sensitive presentations unless you accept that. (3) Prefer installing from the source you audited (go install from the GitHub repo at a pinned commit or inspect the npm package contents). (4) Provide MINERU_TOKEN with least privilege possible and rotate/revoke it if needed. (5) If you are uncomfortable with autonomous invocation, keep the skill user-invocable only (do not enable always:true) or disable model invocation for it in agent settings.
Latest Release
v0.4.0
SEO: expand description for better ClawHub vector search discovery
More by @mzlzyca
Published by @mzlzyca on ClawHub
