Skillv1.0.6

ClawScan security

Awesome Deck Pdf · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:18 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and runtime needs are coherent with its stated purpose (generate HTML slide decks and export PDFs); nothing requests unrelated credentials or surprising system access.
Guidance: This skill appears to do what it says: it analyzes a design source (URL/image/.pptx), asks you to confirm style and content, generates an HTML deck, and uses Puppeteer to export a PDF. Before installing or running it: - Expect the agent to make outgoing network requests when you provide a website URL (it will visit and screenshot the URL). Avoid giving private/intranet URLs or URLs requiring credentials unless you understand the risk. - You must install Node (≥18) and puppeteer or puppeteer-core (the Chromium download can be large); the script may run Chrome with --no-sandbox (common for containerized environments) — avoid running untrusted code with elevated privileges. - If you plan to use .pptx parsing, install python-pptx; the repo provides example code snippets but not a packaged Python helper script. - The skill writes slides.html, temporary images (_pdf_pages/), and slides.pdf in the current working directory and removes temp files; review files before sharing. - Source is listed as unknown and homepage is absent — if installing on a sensitive machine, review the included files (export_pdf.js and SKILL.md) locally or run in an isolated environment. Overall: coherent and proportionate, but follow the usual caution for running tools that fetch remote URLs and execute headless Chromium on your system.

Review Dimensions

Purpose & Capability: okName/description match the provided artifacts: SKILL.md and export_pdf.js implement HTML generation, site/screenshot analysis, .pptx parsing guidance, and Puppeteer-based PDF export. The declared lack of required env vars and binaries is consistent with an instruction-oriented skill that expects Node and optional Python libraries to be installed locally.
Instruction Scope: noteRuntime instructions ask the agent to fetch website URLs (Puppeteer screenshots / CSS extraction), parse user-supplied .pptx with python-pptx, and write slides.html and slides.pdf to disk. This stays within the feature scope, but it implies outgoing network requests (to target URLs) and local file reads/writes. The SKILL.md includes sample python code but no accompanying Python helper script; the agent or user must run python-pptx themselves.
Install Mechanism: okNo install spec; the skill is instruction-first with a small Node script. It relies on standard public packages (puppeteer / puppeteer-core and python-pptx) and does not download arbitrary archives or call unknown remote installers. The export script auto-detects Chromium or falls back to system Chrome.
Credentials: okThe skill requests no environment variables or credentials. It requires local Node/Python runtimes and permission to read user-supplied files and write temporary files in the working directory — all proportionate to building and exporting slide PDFs.
Persistence & Privilege: okFlags show default permissions (always: false, model invocation allowed). The skill does not request permanent presence, nor does it modify other skills or system-wide settings. It writes temporary and output files within the working directory and cleans up temporary files.