SlideSpeak
PassAudited by ClawScan on May 10, 2026.
Overview
SlideSpeak appears purpose-aligned for creating and editing presentations, but it uses a SlideSpeak API key and can upload selected documents or configure webhooks.
This skill looks reasonable for SlideSpeak users. Before installing, be comfortable giving it a SlideSpeak API key, uploading selected documents to SlideSpeak, and letting it modify presentations when you request edits. Use trusted webhook URLs only and verify destructive slide operations before running them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The helper can act through the user's SlideSpeak account, including generating or editing presentations and potentially consuming account credits.
The skill needs a SlideSpeak API key, which is expected for this integration but gives the helper delegated access to the user's SlideSpeak account.
Required env vars: SLIDESPEAK_API_KEY ... Primary credential: SLIDESPEAK_API_KEY
Use a key intended for this service, keep it secret, and revoke or rotate it if you no longer use the skill.
A mistaken presentation ID, slide position, or edit type could alter or delete presentation content.
The skill runs a local Bash/Node helper and supports slide mutation, including removal. This is aligned with managing presentations, but it is a meaningful account action.
allowed-tools: Bash Read Write ... node scripts/slidespeak.mjs edit-slide ... --type REMOVE ... # Remove slide at position 4
Confirm presentation IDs and slide positions before using INSERT, REGENERATE, or REMOVE operations, especially on important decks.
Documents, prompts, generated presentation task data, and webhook notifications may leave the local environment and be processed by SlideSpeak or sent to the configured webhook endpoint.
The helper can read a user-specified local document and upload it to SlideSpeak, and it can register a user-provided webhook URL. These data flows are disclosed and purpose-aligned.
const fileBuffer = fs.readFileSync(filePath); ... fetch(`${API_BASE}/document/upload`, ...); ... apiRequest('/webhook/subscribe', { method: 'POST', json: { url: args.url } })Upload only documents you intend to share with SlideSpeak, and only subscribe webhook URLs you control and trust.
Users have less provenance information for deciding whether to trust the skill publisher and helper script.
The registry does not identify a source repository or provenance. The included helper code is visible and no package install is shown, so this is a provenance note rather than a behavioral concern.
Source: unknown
Review the visible files and publisher information before installing; prefer a version with a known source repository if available.