ClawHub
Back to skill
v1.0.0

Gamma

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:51 AM.

Analysis

The skill is a coherent Gamma.app API helper that uses a Gamma API key to create user-requested presentations, documents, or social posts, with no artifact-backed malicious behavior found.

GuidanceThis skill appears purpose-aligned and benign. Before using it, make sure you are comfortable sending the requested content to Gamma.app, spending Gamma credits for generation, and storing a Gamma API key in the environment.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Credits are deducted per generation (~150-300 per deck)

The skill discloses that generation consumes Gamma credits. This is expected for the purpose, but it is an account-impacting action.

User impactCreating a Gamma generation can consume paid or limited Gamma credits.
RecommendationUse the skill when you intend to spend Gamma credits, and consider confirming costly or repeated generation requests before running them.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide an upstream source or homepage. The included script is present and coherent, but provenance is limited.

User impactUsers have less external provenance information to verify the publisher or upstream project.
RecommendationReview the included script and install only if you trust the skill publisher and the Gamma API endpoint shown.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/gamma.sh
-H "X-API-KEY: ${GAMMA_API_KEY}"

The script uses the user's Gamma API key to authenticate to Gamma's public API. This is expected for the stated integration and is not shown being logged or sent elsewhere.

User impactInstalling and using the skill lets it act through the provided Gamma API key for supported Gamma generation/status actions.
RecommendationUse a Gamma API key intended for this purpose, rotate it if no longer needed, and monitor Gamma account usage.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/gamma.sh
API_BASE="https://public-api.gamma.app/v1.0"

User-provided content is sent to Gamma's external API to generate presentations/documents/social posts. The endpoint is disclosed and purpose-aligned.

User impactAny content used to generate a deck or document will be transmitted to Gamma, so sensitive or confidential material may leave the local environment.
RecommendationOnly send content you are comfortable processing through Gamma.app, and avoid including secrets or unnecessary personal data.