Skillv1.0.0

ClawScan security

Slide Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 10:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (generate single-file HTML slides), but the runtime instructions ask the agent to auto-update the repo (git pull) and run local scripts, which gives the skill a mutable network-updatable execution surface that isn't proportional to its stated purpose.
Guidance: This skill appears to implement slide generation as advertised, but it asks the agent to run `git pull --ff-only` on each run (auto-update) and includes local scripts that the agent may invoke. Auto-updating code at runtime lets the remote repo change the skill's behavior after you reviewed it. Before installing or enabling: 1) Inspect the included scripts (preview.sh, smoke-test.sh) and the Python files (apply-template-branding.py, inline-images.py) for any network calls, subprocess execs, or arbitrary shell commands. 2) If you want to use it, consider disabling the automatic git pull step or run the skill in an isolated environment (no network access) and update manually after reviewing changes. 3) Avoid providing any secrets or credentials to the skill; it does not need them. 4) If you must allow auto-updates, pin the repo to a trusted commit and periodically re-review upstream changes. If you want, I can: (A) list the exact contents of the four scripts for a quick inspection, or (B) highlight patterns (curl/wget/python requests/exec) to look for in the repository.
Findings: [base64-block] expected: The project embeds many logos and standalone HTML examples; large base64 or long text blocks are plausible for embedded SVG/PNG data. The scanner flagged base64-like blocks in the SKILL.md or related assets — this can be benign (embedded images) but merits a quick inspection of those files to ensure they only contain expected asset encodings.

Review Dimensions

Purpose & Capability: noteName/description, included templates, components and scripts match the stated purpose (converting drafts into single-file HTML presentations). However the SKILL.md requires an automatic git pull at runtime (Phase 0) to 'auto-update themes and rules', which is not necessary for generating a slide from local input and expands the skill's capabilities beyond the stated purpose.
Instruction Scope: concernSKILL.md instructs the agent to run shell commands (explicitly `git pull --ff-only` as 'must execute'), read repository files (themes/_index.md, template.html, components.md) and read/modify existing HTML files. The mandatory auto-update step introduces network operations and implicit trust in remote code changes. The skill also says it will 'infer from current user information' (unspecified), which could lead to the agent accessing environment or profile data not declared in requires.env.
Install Mechanism: concernThere is no formal install spec (instruction-only), but the repo includes helper scripts (preview.sh, smoke-test.sh) and Python utilities. The primary risk is the SKILL.md's mandatory runtime `git pull` which fetches code from the remote repository each run. While the remote is a GitHub repo (a familiar host), auto-pulling code at runtime creates a mutable execution surface that can change behavior after initial review.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportionate. That said, the instructions reference inferring 'current user information' and expect to read and write files in the repository—these are reasonable for a generator but are not explicitly constrained in SKILL.md (no explicit list of allowed file paths).
Persistence & Privilege: notealways:false and no claim to modify other skills or global settings. The remaining concern is that autonomous invocation (platform default) combined with the SKILL.md auto-update behavior increases the blast radius: if the repo changes remotely, an autonomously-invoked skill can run newly-pulled code.