Back to skill
Skillv1.0.0
ClawScan security
tophantppt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 3:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, lack of installs, and lack of requested credentials are consistent with its stated purpose of producing editable .pptx slides driven by background images.
- Guidance
- This skill appears coherent and low-risk, but consider these practical points before use: 1) Test with non-sensitive sample PPTX files first — the skill needs access to any file you want it to read or edit. 2) Prefer providing raw/direct image URLs or embedding images to avoid broken links; GitHub 'blob' links are HTML pages, not direct image endpoints. 3) Be aware that fetching remote images will make outbound network requests (possible IP/metadata exposure to the image host). 4) Confirm you have rights to use any background images you supply. 5) If you require higher assurance, ask the author for a source repository or code so you can review exact IO/network behavior.
Review Dimensions
- Purpose & Capability
- okName/description describe generating editable PPTX driven by background images. The SKILL.md contains extensive, PPT-specific guidance (slide types, background as visual layer, OOXML notes) and does not request unrelated credentials or system access.
- Instruction Scope
- noteInstructions focus on reading/inspecting PPTX templates, selecting layouts, placing editable text boxes over background images, and embedding or validating background image URLs. This behavior is expected for a PPT generation/editing skill. Notes: the provided placeholder URLs use GitHub 'blob' links (HTML pages) rather than raw image URLs — the skill should use raw.githubusercontent.com or embedded assets to avoid broken image fetches. Also, fetching remote image URLs will cause outbound network requests which can expose the agent/runtime IP to the image host.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk install footprint. Nothing is downloaded or written by an installer.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The declared requirements align with the task; the skill will need access to user-provided PPTX files and to fetch background image URLs at runtime, which is reasonable for this function.
- Persistence & Privilege
- okalways is false and autonomous invocation is allowed (platform default). The skill does not request persistent system presence or modify other skills/configs.