ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gamma

v1.0.0

Generate AI-powered presentations, documents, and social posts using Gamma.app API. Use when user asks to create a presentation, pitch deck, slide deck, document, or social media carousel. Triggers on requests like "create a presentation about X", "make a pitch deck", "generate slides", or "create a Gamma about X".

3· 3.4k·9 current·9 all-time
byLucas Synnott@lucassynnott
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, API endpoint (public-api.gamma.app), and the single required environment variable (GAMMA_API_KEY) align with a Gamma.app presentation-generation skill. However, the package metadata claims no required binaries while the included script clearly depends on curl and jq—this mismatch is unexplained.
Instruction Scope
SKILL.md and the script instruct only to send user-provided content to Gamma.app and poll for status. There are no instructions to read unrelated system files, other environment variables, or to send data to endpoints other than Gamma's public API.
Install Mechanism
There is no install specification (instruction-only), which is low risk, but the repository includes an executable script that will be run. Because the script has runtime dependencies (curl, jq) that are not declared or installed, users may run it without realizing those binaries are required; this is an operational/integrity mismatch.
Credentials
Only GAMMA_API_KEY is required. That is proportional to calling Gamma.app's API. The skill does not request other unrelated secrets or access to config paths.
Persistence & Privilege
The skill does not request always:true, does not attempt to modify other skills or agent-wide configuration, and is user-invocable. Normal autonomous invocation is allowed by default but not combined here with extra privileges.
What to consider before installing
This skill appears to be a straightforward Gamma.app integration, but review the following before installing: 1) The included script uses curl and jq but the manifest does not declare these required binaries — ensure your environment has them or the script will fail. 2) The only secret required is GAMMA_API_KEY; provide a scoped or limited API key if Gamma supports that, and avoid using high-privilege keys. 3) The script sends content to https://public-api.gamma.app — confirm you trust that endpoint and the skill's unknown owner. 4) Because the skill contains an executable script and can be invoked by the agent, consider running it in a sandbox (or inspect/execute locally) first. 5) If the skill came from an official Gamma source or repository, that would reduce risk; absence of a homepage/known owner increases uncertainty.

Like a lobster shell, security has layers — review code before you run it.

latestvk973cn4s4753epwq5x00s27qps7z4461

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGAMMA_API_KEY

Comments