Html2pptx Complete
WarnAudited by ClawScan on May 18, 2026.
Overview
The converter’s purpose is coherent, but its wrapper builds shell commands from user-supplied file paths, which could let a malicious filename run commands on the user’s machine.
Review this skill before installing or using it. Its HTML-to-PPTX behavior is otherwise aligned with its description, but avoid running it on untrusted filenames or paths until the shell-command issue is fixed, and install its dependencies in an isolated environment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously named HTML file or output path could cause unintended commands to run under the user’s account when conversion is started.
CLI-supplied paths are inserted into shell commands. Quoting with double quotes does not fully prevent shell expansion or command injection for adversarial path names.
const inputPath = args[0]; const outputPath = args[1] || null; ... execSync(`python3 "${path.join(scriptDir, 'embed-css.py')}" "${htmlPath}" "${tempHtml}"`, ...); ... execSync(`node "${path.join(scriptDir, 'generate-pptx.js')}" "${inputFile}" "${outputPath || ''}"`, ...);Replace execSync shell strings with execFile/spawn using argument arrays, or strictly validate and escape paths. Until fixed, only convert trusted files with simple safe paths.
Dependency updates from package registries could change behavior over time or inherit upstream supply-chain issues.
The Python dependencies are specified as version ranges, so future installs may pull newer package versions. This is common for setup, but it is less reproducible than exact pins or hashes.
beautifulsoup4>=4.12.0 cssutils>=2.7.0 requests>=2.31.0
Install in an isolated virtual environment, review dependencies before installing, and prefer pinned versions or hashes for reproducible use.