Skillv1.0.0

ClawScan security

html-ppt-to-pdf · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 5:00 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with its stated purpose (converting HTML slide decks to vector PDFs using Playwright/Chromium); it asks for no secrets and contains no obvious exfiltration or unrelated capabilities.
Guidance: This skill appears to do exactly what it says: convert HTML slides (section.slide convention) into vector PDFs using Playwright/Chromium. Before installing or running it, consider: 1) npm install + Playwright will download large browser binaries (expect ~100–300 MB); run in an environment where that is acceptable. 2) The script will read your input HTML and any local asset files it can access (including ~/.myagents/skills/html-ppt for remapped assets) and may load web fonts/resources over the network — if your HTML references remote resources you don't want fetched, host fonts locally or run offline. 3) If you are concerned about running third-party Node code, review scripts/html-to-pdf.mjs yourself or run it in a sandbox/container. 4) The skill requests no secrets or external endpoints and logs page errors/failed requests locally; still verify outputs (PDF contents, embedded fonts) before sharing. Overall, the footprint and behavior are proportional and coherent with the stated purpose.

Review Dimensions

Purpose & Capability: okName/description match the provided code and SKILL.md. The script uses Playwright/Chromium to render HTML slides and applies many targeted CSS/JS fixes for known slide frameworks; the npm dependency on Playwright and pdf-lib is proportional to the task (browser-driven PDF generation and optional PDF post-processing).
Instruction Scope: noteRuntime instructions and the script stay within the conversion task: they load a local HTML file, adjust CSS/DOM to force print-friendly layout, and emit a PDF. The script reads the filesystem (input HTML, writes output PDF) and will attempt to load web fonts/resources referenced by the HTML (network). It also remaps asset paths that reference a local html-ppt install under ~/.myagents/skills/html-ppt — this is reasonable for the declared use but means the skill accesses files under the user's home directory.
Install Mechanism: noteThere is no automatic install spec in the registry; SKILL.md instructs users to run npm install and npx playwright install chromium. That will download Playwright and (optionally) a Chromium binary (hundreds of MB). All package sources shown are standard npm registries/mirrors; no downloads from shorteners/personal servers are present.
Credentials: okThe skill declares no required credentials or sensitive env vars. It does read standard environment values (HOME or USERPROFILE) to find the user's skill directory and can use HTTPS_PROXY/HTTP_PROXY if set or passed on the CLI — this is justified for fetching remote fonts/assets and is documented in SKILL.md.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It writes only the output PDF and may read local skill asset folders; it does not modify other skills' configs or system-wide settings.