AI Presentation Maker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for making slide decks, but its HTML export can embed slide text without proper escaping, which could run unwanted scripts if untrusted content is included.
Use this skill only if you are comfortable with it creating and managing files under ~/workspace/presentations. Be cautious with HTML export: avoid including untrusted pasted HTML/Markdown, review exported HTML before sharing, or prefer Markdown/PPTX until the exporter escapes slide content safely.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If untrusted or copied content containing HTML/JavaScript is included in a deck, opening or sharing the exported HTML could run unwanted browser code.
Slide body text is converted to HTML and inserted into the output without first escaping arbitrary HTML characters, unlike some other fields that use escape().
text = apply_inline(stripped)
html_parts.append(f'<p>{text}</p>') ... <div class="body">{content_html}</div>Escape all slide body content before applying allowed Markdown formatting, or use a safe Markdown renderer/sanitizer with an explicit allowlist before writing HTML exports.
The agent may create directories, copy the helper script, check installed tools, and save/delete/export presentation files under the workspace.
The skill asks the agent to execute local setup/check/export commands. This is expected for a local deck generator, but users should notice the agent will operate on local files.
NEVER tell the user to open a terminal or run commands. You have the exec tool. USE IT. Run every command yourself via exec.
Keep command use limited to the documented ~/workspace/presentations path and require user confirmation before destructive actions such as delete or overwrite.
Opening exported HTML may make an external web request and may render differently offline.
Generated HTML includes a third-party font import, so viewing an exported deck can contact Google Fonts even though the core skill otherwise appears local.
@import url('https://fonts.googleapis.com/css2?family=Inter:wght@300;400;600;700;800&display=swap');Disclose the external font load, provide an offline/no-remote-font option, or bundle/use system fonts by default.
Sensitive pitch or business information can remain in local files after the session until the user deletes it.
The skill stores generated presentation content persistently on disk, which may include business plans, audience details, costs, and speaker notes.
stateDirs":["~/workspace/presentations","~/workspace/presentations/decks","~/workspace/presentations/exports"],"persistence":"Presentation data stored as JSON + Markdown under ~/workspace/presentations/.
Do not include secrets unless needed, review saved decks before sharing, and delete/archive local presentation files when no longer needed.