ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slides Generator

v1.0.0

Create Hummingbot-branded PDF slides from markdown with Mermaid diagram support. Use for presentations, decks, and technical documentation with professional...

0· 379·1 current·1 all-time
byMichael Feng@fengtality
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (markdown -> PDF slides with Mermaid support) matches the included script's functionality, but the SKILL.md declares no required binaries or env vars while instructing users to run tools that do require them (python3, fpdf2, mermaid-cli/npm). That mismatch is unexpected and reduces transparency.
!
Instruction Scope
The SKILL.md explicitly instructs executing a remote script via bash <(curl -s https://raw.githubusercontent.com/...), which downloads and executes code at runtime. The document also instructs global installs (npm -g, pip3 install) and saving temporary files. There are no instructions to verify the remote script or pin a commit hash. Apart from that, the instructions limit file access to the provided markdown and optional logo.
!
Install Mechanism
There is no formal install spec, but the runtime script will auto-install Python packages (pip3 install fpdf2) and relies on mermaid-cli (either installed or run via npx, which pulls from npm). The SKILL.md's curl|bash pattern executes code fetched from GitHub at runtime; while GitHub is a known host, downloading and executing unverified remote code is high risk. The script's auto-installation uses global installs (no --user), which can modify the system environment.
Credentials
The skill does not request environment variables, credentials, or config paths. The script also does not read other system credentials. This is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-on and does not request special platform privileges. However, the script performs package installations (pip3 install, and may invoke npm installs via npx) that can affect the host environment and may require elevated permissions. It does not persistently modify agent configuration or other skills.
What to consider before installing
This skill likely performs the claimed slide generation, but exercise caution before running it. Specific recommendations: - Do NOT run the curl | bash command without inspection. Instead, inspect the script text first or use the local scripts/generate_slides.sh included with the skill package. - Prefer running the script in an isolated environment (container or VM) or a Python virtualenv and use npm with --location=project or --user equivalents to avoid global installs. - The script will automatically run pip3 install fpdf2 (no --user) and may invoke npx to pull mermaid-cli — these change your system and could run arbitrary code. Consider manually installing verified dependencies from trusted sources. - If you must use the remote URL, verify it points to a pinned commit or release (not just raw/master) and review the script content for unexpected network calls or command execution. - If you need stronger assurance, ask the skill author for a signed release, a reproducible package, or a versioned GitHub release instead of executing raw content from the web. - If you are not comfortable auditing shell/Python scripts, avoid running this skill on sensitive hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e24wd5jjet7daezk0fq2f99820dke

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments