codex-ppt

SUSPICIOUS. The core behavior matches the stated PPT-generation purpose, and required credentials are mostly proportionate. The main risk is data-flow integrity: the fallback path can route prompts and API keys to arbitrary OpenAI-compatible base URLs through custom local scripts, so users could unknowingly send content and credentials to third-party intermediaries. Supply-chain risk is moderate because execution depends on repo-provided bootstrap/runtime scripts from a personal GitHub publisher, but there is no clear evidence of malicious intent.