Back to skill
Skillv1.0.2
ClawScan security
frontendslides · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 3:40 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and minimal requirements are coherent with its stated purpose (creating HTML presentations and converting PPTX); there are no unexplained credential requests or hidden network endpoints in the bundle.
- Guidance
- This skill appears to do what it says: generate single-file HTML presentations and convert .pptx files using the included extractor. Before using it: 1) review scripts/extract-pptx.py yourself (it only uses python-pptx, writes extracted images to a local assets/ folder, and writes a JSON file); 2) if you will run the optional image pipeline, install Pillow and python-pptx in an isolated environment (venv) to avoid affecting system packages; 3) be aware generated HTML may load fonts from Google/Fontshare (your browser will contact those services when opening the file); 4) if following README instructions to git clone an external repo, inspect that repository first — cloning arbitrary external repos is separate from the skill bundle and increases risk. If you want additional assurance, run the Python extractor on a non-sensitive sample PPTX in a sandbox first and confirm outputs before processing confidential slides.
Review Dimensions
- Purpose & Capability
- okThe skill is a presentation generator / PPTX converter. The included Python script (scripts/extract-pptx.py) legitimately supports PPTX extraction, the CSS/MD templates are appropriate for HTML generation, and the README/SKILL.md call out the same capabilities. Required tooling (python-pptx, Pillow for optional image processing) is proportional to the conversion and image pipeline features.
- Instruction Scope
- noteSKILL.md instructs the agent to generate single-file HTML slides, read and include viewport-base.css, optionally process images (Pillow) and run the provided extract-pptx.py to dump slide content/assets. The instructions do not request unrelated files, credentials, or unexpected external endpoints. Note: generated HTML templates reference external font providers (Fontshare/Google Fonts) so a viewer's browser will make network requests to those services when opening the output — this is expected for font hosting but is an external dependency.
- Install Mechanism
- noteThis is instruction-only with no automated install spec (no code auto-downloaded or executed by an installer). The README suggests optional git cloning from a GitHub repo and manual copying. The only active code is the small extract-pptx.py script that writes extracted images and a JSON file locally. Because there is no automatic download-from-arbitrary-URL step in the skill bundle itself, install risk is low — but cloning an external repo (optional in README) would be an external action the user should vet.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. All file I/O is local (writing extracted images to a local assets/ directory and writing extracted-slides.json). There are no secret-looking environment variables requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It does not attempt to modify other skills or global agent config. Autonomous invocation is allowed (platform default) but not combined with other concerning flags.