Back to skill
Skillv1.0.0
ClawScan security
Html2pptx Complete · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 6:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (HTML → PPTX conversion), requests no credentials, and uses expected local Python/Node dependencies and filesystem operations.
- Guidance
- This skill appears to do exactly what it claims: embed local CSS and convert HTML to editable PPTX using local Python and Node scripts. Things to consider before installing: (1) it will install npm and pip packages—review those packages if you require vetted dependencies; (2) scripts run child processes and read/write files in the directories you provide—run in a directory you control and avoid passing sensitive-system HTML; (3) remote image URLs in <img src> may be fetched/embedded by pptxgenjs—if that is a concern, ensure images are local or sanitize the HTML first; (4) test in an isolated environment if you want extra caution.
Review Dimensions
- Purpose & Capability
- okName/description match the code and SKILL.md: scripts embed local CSS, parse HTML with cheerio/pptxgenjs and emit PPTX. Declared Python/Node deps align with package.json and requirements-python.txt.
- Instruction Scope
- noteRuntime instructions and scripts operate on local files (HTML, CSS, images) as expected. The embed-css step explicitly skips remote CSS; the generator will include images referenced by <img src>, which may be local paths or remote URLs (pptxgenjs can embed images from URLs). The workflow invokes local Python and Node scripts via execSync—expected for a multi-language tool, but worth noting because it runs child processes and reads/writes files in the caller's filesystem.
- Install Mechanism
- okThere is no remote download/install spec in the skill bundle. Dependencies are standard pip and npm packages (beautifulsoup4, cssutils, requests, pptxgenjs, cheerio) declared in SKILL.md, requirements and package.json—no obscure external URLs or archive extracts.
- Credentials
- okThe skill declares no required environment variables, and the code does not read credentials or unrelated environment/config paths. Filesystem access is limited to input HTML/CSS/images and writing generated PPTX/temporary files, which is proportional to the conversion task.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or global agent configuration. It runs as-invoked and cleans up its temporary file when possible.