Back to skill
Skillv1.6.1
ClawScan security
Mck Skill Repo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 12:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and required binaries are consistent with its stated purpose (programmatic generation and cleanup of McKinsey‑style PPTX using python‑pptx); nothing requests unrelated credentials or network exfiltration.
- Guidance
- This skill appears internally coherent and implements what it claims: programmatic PowerPoint generation and XML cleanup to avoid corruption. Before running: (1) review the included example scripts yourself (they are small and readable); (2) run pip install python-pptx lxml in a virtualenv to isolate dependencies; (3) run examples in a dedicated directory (they create minimal_output.pptx and rewrite it with full_cleanup); (4) note the README suggests an optional 'npx clawhub install' path—npx/node is not required for the core functionality; and (5) if you will run this in automated/production contexts, verify font availability (KaiTi/Georgia/Arial) and test outputs on your target PowerPoint client. The only minor oddities: a version string mismatch (SKILL.md v1.6.0 vs registry v1.6.1) and the optional npx install suggestion not declared as a required binary—these are not security issues but worth noting.
Review Dimensions
- Purpose & Capability
- okName/description = programmatic McKinsey-style PPT generation; required binaries (python3, pip), example scripts, library requirements (python-pptx, lxml), and SKILL.md all align with that purpose. Provided code implements layout helpers, typography handling, and post-save XML cleanup as described.
- Instruction Scope
- okSKILL.md instructs installing python packages, running included example scripts, and copying SKILL.md into a skills folder. Runtime instructions and code only read/write local files (generate and sanitize .pptx), manipulate ZIP/XML inside the .pptx (full_cleanup), and do not reference external endpoints, secrets, or unrelated system paths.
- Install Mechanism
- noteThere is no formal install spec (instruction-only), which is low-risk. The README suggests pip install and optionally 'npx clawhub install'—the latter would require Node/npx but node is not declared as a required binary (this is optional/UX guidance rather than a silent dependency).
- Credentials
- okNo environment variables, credentials, or config paths are requested. All operations are local and tied to PPT generation/cleanup; required libraries are proportional to the task.
- Persistence & Privilege
- okSkill is not marked always:true and uses normal autonomous invocation defaults. It does not request persistent system-wide privileges or modify other skills' configs. Example scripts write output files and replace them via atomic rename during cleanup (expected behavior).