Back to skill
Skillv1.0.3
ClawScan security
PPT Compressor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 3:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (compress PPTX by reducing embedded image sizes and converting to PDF); it requests no credentials, installs nothing itself, and contains no network or secret-exfiltration behavior.
- Guidance
- This skill is coherent and appears to do only local PPTX processing. Points to consider before installing: (1) It relies on macOS's sips for image compression and LibreOffice (soffice) for PDF conversion — ensure those are available or adjust the environment. (2) The script modifies images inside an extracted copy and repackages; the original PPTX is not overwritten, but always test on a copy of important files. (3) It runs subprocesses (sips/soffice) locally — if you run in an unfamiliar environment, do so in an isolated environment or inspect the script (already provided) before use. (4) The compression is image-focused (files >1MB) and results will vary; no network or credential use was found.
Review Dimensions
- Purpose & Capability
- okName/description (PPT compression) aligns with the included script and SKILL.md. The script extracts PPTX, compresses images, repacks, and calls LibreOffice to convert to PDF — exactly what the skill says it will do. Dependencies (sips, LibreOffice) are consistent with the stated workflow.
- Instruction Scope
- okSKILL.md instructs only local operations required for the task: decompress PPTX, run sips to compress images, repackage, and convert with soffice. The script operates on the user-supplied file path and output directory and does not read unrelated files, environment variables, or contact external endpoints.
- Install Mechanism
- okNo install spec; the skill is instruction-only plus a local Python script. That is low-risk and proportionate. SKILL.md suggests installing LibreOffice via brew, which is reasonable and expected.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The script does not attempt to access secrets or unrelated system configs.
- Persistence & Privilege
- okalways is false, the skill does not request persistent system-wide changes, and it does not modify other skills or agent configuration. It performs only transient local file operations within a temporary directory and the user-specified output directory.