Slide Creator

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is mostly coherent for generating local HTML slide decks, with some review-worthy implementation and metadata notes but no artifact-backed malicious behavior.

This looks appropriate for creating local HTML slide decks. Before installing, verify the package includes the referenced validator script, avoid running developer eval tooling unless you trust the repository, and do not supply credentials because normal slide generation should not need them.

Static analysis

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

Low

What this means

If you manually run the eval/test scripts, they may execute local project modules; this is normal for developer tooling but should be done only from a trusted checkout.

Why it was flagged

The static scan shows dynamic module loading in an evaluation script. That executes Python module code if the eval script is run, but the file path and surrounding artifact context indicate local test/eval infrastructure rather than a hidden install-time action.

Skill content

spec.loader.exec_module(module)

Recommendation

Use the skill for normal slide generation without running developer eval scripts unless you trust the source and understand what those scripts do.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The slide generation flow may fail or skip an intended validation step if the referenced validator is not actually included.

Why it was flagged

The skill relies on a strict HTML validator before accepting output, but the provided manifest/code-file list does not show scripts/validate_html.py, which creates a package-completeness and reliability gap.

Skill content

python3 scripts/validate_html.py "$TMP_HTML" --strict

Recommendation

Before relying on the strict validation claim, confirm the installed skill contains the referenced validation script or an equivalent documented validator.