Gamma
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Gamma.app API helper that uses a Gamma API key to create user-requested presentations, documents, or social posts, with no artifact-backed malicious behavior found.
This skill appears purpose-aligned and benign. Before using it, make sure you are comfortable sending the requested content to Gamma.app, spending Gamma credits for generation, and storing a Gamma API key in the environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill lets it act through the provided Gamma API key for supported Gamma generation/status actions.
The script uses the user's Gamma API key to authenticate to Gamma's public API. This is expected for the stated integration and is not shown being logged or sent elsewhere.
-H "X-API-KEY: ${GAMMA_API_KEY}"Use a Gamma API key intended for this purpose, rotate it if no longer needed, and monitor Gamma account usage.
Any content used to generate a deck or document will be transmitted to Gamma, so sensitive or confidential material may leave the local environment.
User-provided content is sent to Gamma's external API to generate presentations/documents/social posts. The endpoint is disclosed and purpose-aligned.
API_BASE="https://public-api.gamma.app/v1.0"
Only send content you are comfortable processing through Gamma.app, and avoid including secrets or unnecessary personal data.
Creating a Gamma generation can consume paid or limited Gamma credits.
The skill discloses that generation consumes Gamma credits. This is expected for the purpose, but it is an account-impacting action.
Credits are deducted per generation (~150-300 per deck)
Use the skill when you intend to spend Gamma credits, and consider confirming costly or repeated generation requests before running them.
Users have less external provenance information to verify the publisher or upstream project.
The registry metadata does not provide an upstream source or homepage. The included script is present and coherent, but provenance is limited.
Source: unknown; Homepage: none
Review the included script and install only if you trust the skill publisher and the Gamma API endpoint shown.