Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gamma Presentation Generator
v1.0.0Generate professional presentations with Gamma AI. Just describe what you want — topic, outline, or full content — and get a polished deck. No Gamma account...
⭐ 0· 146·0 current·0 all-time
by@lmanchu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the behavior: the skill calls the Gamma API to create and download presentations. However the prose repeatedly claims 'No Gamma account needed' and 'The skill owner covers this cost — users generate for free', while the code and SKILL.md require a GAMMA_API_KEY (or a local ~/.gamma/config.json). That is a misleading claim about who provides/hosts the API key and who pays.
Instruction Scope
SKILL.md instructs the agent to run a single bundled script (generate.ts) with GAMMA_API_KEY set and to save the resulting PDF/PPTX. The instructions do not ask the agent to read unrelated system files or exfiltrate data beyond contacting the Gamma endpoints and downloading the generated file. The script reads only the env var and ~/.gamma/config.json as a fallback; no other files or credentials are referenced.
Install Mechanism
There is no install spec (instruction-only deployment) and the included code runs locally under Bun. No remote downloads or archive extraction are performed by the skill itself. Required binary 'bun' is reasonable given the TypeScript script.
Credentials
The skill requires a single credential (GAMMA_API_KEY), which is appropriate for calling the Gamma API. However: (1) registry metadata lists no primary credential even though GAMMA_API_KEY is required; (2) the documentation's claim that users don't need a Gamma account and that the skill owner pays is inconsistent with the code that uses a key from the environment or a local ~/.gamma/config.json. That mismatch could mislead users into exposing an API key they didn't intend to manage or pay for.
Persistence & Privilege
The skill is not marked always:true and does not request special system privileges. It only reads a local config file (~/.gamma/config.json) as a convenience fallback, and writes the output file to the user-specified path. It does not modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it says (call Gamma to generate decks), but the published description misstates who must provide/pay for the Gamma API key. Before installing: (1) confirm how API keys/billing will be handled — you will need a GAMMA_API_KEY in your environment or a local ~/.gamma/config.json for the script to run; (2) review the bundled generate.ts locally (it is small and readable) and run it yourself rather than trusting a shared key; (3) do not paste a high-privilege or organization-wide Gamma key into a skill you don't fully trust — create a limited/test key if possible; (4) verify the skill's origin (there is no homepage and the owner id is opaque). If these inconsistencies worry you, treat this as untrusted code and run it in an isolated environment or decline installation.generate.ts:16
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
gammavk97a8wma5a9h6mt1pwh6hrw5ax83cwjelatestvk97a8wma5a9h6mt1pwh6hrw5ax83cwjepdfvk97a8wma5a9h6mt1pwh6hrw5ax83cwjepptxvk97a8wma5a9h6mt1pwh6hrw5ax83cwjepresentationvk97a8wma5a9h6mt1pwh6hrw5ax83cwjeslidesvk97a8wma5a9h6mt1pwh6hrw5ax83cwje
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎯 Clawdis
OSmacOS · Linux · Windows
Binsbun
EnvGAMMA_API_KEY