Marp Cli
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill coherently documents Marp CLI presentation conversion, with optional server, local-file, and automation modes that users should enable only deliberately.
This skill appears safe for its stated purpose if you already trust the local Marp CLI installation. Before installing, verify the `marp` binary comes from the official project, use server mode only for directories you intend to share, and enable `--allow-local-files` only for trusted Markdown decks.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local `marp` command comes from an untrusted or unexpected source, the skill would invoke that binary.
The skill has no bundled code or install spec and relies on a separately installed CLI; this is normal for a CLI wrapper, but binary provenance and version choice are left to the user.
This skill assumes `marp` is installed. Installation methods include: ... `npm install -g @marp-team/marp-cli` ... Standalone binaries: Download from GitHub releases
Install Marp CLI from official sources and ensure the `marp` command on PATH is the intended one.
Using this option on untrusted Markdown could cause local resources referenced by the deck to be read or embedded in generated output.
The documented `--allow-local-files` option expands what the renderer may access from the local filesystem; the artifact appropriately notes that the default blocks this for security.
# Allow local files (use with caution) marp --pdf --allow-local-files deck.md # Note: Default blocks local file access for security
Use `--allow-local-files` only for trusted decks that need local assets, and avoid running it from directories containing sensitive files.
If used on an open network or with a permissive firewall, other users may be able to access served presentations or generated formats.
The examples show binding Marp's server mode to all interfaces, which is useful for sharing but can expose the served slides directory beyond the local machine.
HOST=0.0.0.0 PORT=8080 marp -s ./slides
Prefer localhost for private work, serve only a narrow intended directory, and avoid exposing confidential decks on untrusted networks.
A user who installs such automation may keep generating presentation outputs on a schedule even after the immediate task is done.
The artifact includes an optional recurring automation example; it is disclosed and purpose-aligned, but it would continue running until the user removes it.
# Cron Job # Generate daily report 0 9 * * * marp --pdf /path/to/daily-report.md -o /output/report-$(date +%Y%m%d).pdf
Use cron, watch mode, and hooks only when ongoing automation is desired, and remove or stop them when no longer needed.