Raccoon (小浣熊) PPT generation skill powered by the PPT OpenAPI. Create PPT decks from a natural-language topic. Primarily use this skill when the user wants t...
Security Analysis
high confidenceThe skill's code, runtime instructions, and required secrets line up with its stated purpose of calling a PPT generation OpenAPI; nothing in the package appears to request unrelated privileges or hidden endpoints.
Name/description (PPT generation) matches required artifacts: python3, an API host, and an API token. The script calls an /api/open/office/v2 (ppt_jobs) API and implements create/query/reply flows consistent with the described purpose.
Runtime instructions consistently limit actions to using the provided scripts, collecting minimal input (prompt/role/scene/audience), and polling the remote PPT API. One notable instruction: it recommends sourcing ~/.zshrc before every run to load env vars. Sourcing a user's shell RC file executes whatever is in that file and is a behavior the user should be aware of (the intent here is to load RACCOON_API_TOKEN/RACCOON_API_HOST into the environment). The skill also reads/writes local state/registry files under the skill directory to persist job state, which is expected for long-running tasks.
No install spec (instruction-only with an included script) — lowest install risk. The package does include a Python script but does not fetch remote code at install time or run downloads during install.
Only two environment variables are required: RACCOON_API_TOKEN (primary credential) and optional RACCOON_API_HOST. Both are directly used for authenticating to the described PPT OpenAPI and are proportionate to the skill's function.
Skill is not always-enabled and does not request elevated platform privileges. It persists job state and a job registry to ./output/ within the skill directory and uses file locking — this is reasonable for resume/lookup behavior but means job metadata (including job_id) will exist on disk. SKILL.md explicitly instructs not to expose job_id to end users.
Guidance
This skill appears coherent for generating PPTs via the named API. Before installing, consider: (1) you must provide RACCOON_API_TOKEN — only provide this if you trust the remote service (default host: https://xiaohuanxiong.com or override via RACCOON_API_HOST); (2) the runtime recommends sourcing your ~/.zshrc to load env vars — sourcing runs whatever commands are in that file, so be cautious if your RC contains side-effecting code; (3) the skill will write job state and a registry under the skill's ./output/ directory (so job metadata, including job_id, is stored locally); (4) if you need stronger isolation, avoid setting global tokens in shell RC files and instead set RACCOON_API_TOKEN just for the skill's execution environment. Overall the package is internally consistent with its stated purpose.
Latest Release
v1.0.1
v1.0.1 — Skill usage criteria and workflow clarification - Greatly streamlined usage boundaries and trigger examples for when to use or not use this skill. - Clarified user interaction guidelines, emphasizing natural language and hiding technical details like job_id. - Provided clear, stepwise workflow instructions for generation, supplementary Q&A, and result delivery. - Added explicit environment variable and token cleanup steps to avoid execution errors. - Improved prompt collection guidance, suggesting how to elicit missing parameters from users with sample questions. - Updated output and polling rules for a more predictable and user-friendly experience.
Popular Skills
Published by @raccoon-office on ClawHub
