Skillv1.4.0

ClawScan security

Slidev PPT Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 8:47 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requests are coherent with a Slidev-based presentation generator; it reads/writes slide files and installs local npm dependencies but does not ask for unrelated credentials or hidden endpoints.
Guidance: This skill appears to do what it says: generate slides.md, initialize a local Slidev project, and export PDF/PPTX. Before using it, note that it will run npm commands and may install dev dependencies (including playwright-chromium) into the project directory (default: ~/slidev-ppt), which will download packages and browser binaries from the Internet and write files to disk. If you have security concerns: review the three scripts (init-project.js, generate.js, export.js), run the skill in a disposable directory or VM, ensure Node >= 18 is available, and inspect any package.json created before allowing installs. Also be aware slides may reference external Unsplash image URLs (remote resources) if you accept those defaults. There are no requests for secrets or other system credentials.

Review Dimensions

Purpose & Capability: okName/description ask for Slidev markdown generation and export; required binaries (node, npm), included scripts (generate/init-project/export) and example files align with that purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md limits activity to generating/modifying slides.md, initializing or reusing a local Slidev project (default ~/slidev-ppt), previewing, and exporting. It does instruct reading existing slides.md and package.json in the project directory and to install project deps when needed — all within the Slidev workflow. It does not request or instruct reading unrelated system files or secrets.
Install Mechanism: noteThere is no platform-level install spec (instruction-only), but included scripts call npm to initialize a project and install dev dependencies in the target project directory. That will fetch packages from the npm registry; Playwright (used for PDF/PPTX export) has install-time actions and may download browser binaries. This behavior is expected for export functionality but means network downloads and disk writes will occur.
Credentials: okThe skill requests no environment variables or credentials. All required access is local file-system and npm/Internet for dependency installs, which is proportionate to building and exporting Slidev projects.
Persistence & Privilege: okThe skill is not marked always:true and does not modify other skills or global agent config. It runs tools and writes files only in the target project directory (defaulting to ~/slidev-ppt), which is typical for this kind of utility.