Back to skill
Skillv0.1.3
ClawScan security
open-show · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 5:06 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and dependency list are consistent with its stated purpose (converting documents/URLs into single-file HTML slides); it requires no extra credentials or unusual install steps.
- Guidance
- This skill is coherent for converting documents/URLs to single-file HTML slides, but review the following before installing/using: 1) The script will fetch remote pages and images when given a URL — converting remote images to data URIs when possible; if inlining fails it will leave original image URLs, which can cause network requests when you open the generated HTML. 2) Running the suggested pip installs will download packages from PyPI; audit the packages if you have strict supply-chain requirements. 3) The tool writes output files to ~/openshow_outputs — treat generated files like any other local file. 4) If converting sensitive documents, avoid passing them as URLs; use local files and inspect the script to ensure no unexpected network callbacks. 5) If you plan to use the OpenClaw integration or automatic open (--open/--openclaw), be aware the generated HTML may execute client-side JS when opened; inspect the generated HTML if you have concerns. Overall the components and actions match the described purpose.
Review Dimensions
- Purpose & Capability
- okThe name/description (document → single-file HTML slideshow) match the declared/parsing logic and listed dependencies (markdown, python-docx, requests, beautifulsoup4, pymupdf). Required binaries/env vars are none, which is appropriate for a local Python script-based tool.
- Instruction Scope
- okSKILL.md instructs the agent to check/import Python deps, optionally pip-install them, then run the local Python script with a user-provided input (file path or URL). The runtime instructions only reference the input, local output directory (~/openshow_outputs), and opening the generated file in a browser — all consistent with the stated goal. The script performs expected actions (fetch URL, parse HTML/markdown/docx/text, inline images to data URIs).
- Install Mechanism
- okThere is no automated install spec; SKILL.md recommends installing Python packages via pip (markdown, python-docx, requests, beautifulsoup4, pymupdf). This is a standard, proportionate approach for a Python-only, instruction-first skill.
- Credentials
- okThe skill requests no environment variables or credentials. All filesystem access is to user-supplied inputs and the fixed output directory under the user's home. Network access (requests) is justified only for URL inputs and for fetching remote images to inline them; no unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence. It writes outputs to ~/openshow_outputs (user home) which is coherent for a generator tool. There is no indication it modifies other skills or global agent configuration.