free-mp4-pptzc

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its presentation-video purpose, but HTML mode can automatically install unpinned Playwright/Chromium and it sends narration text to an external TTS service.

Review before installing or running HTML mode. Ask the agent to get your approval before installing Playwright/Chromium, avoid confidential scripts unless external TTS is acceptable, and preview the generated slides to remove hardcoded template branding.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may modify the local Python environment and download a browser binary without a separate install approval step.

Why it was flagged

Running HTML mode can automatically install an unpinned package and download Chromium when Playwright is missing, despite the registry showing no install spec.

Skill content

if args.install_playwright or not find_playwright():
        install_playwright()
...
subprocess.run(["pip", "install", "playwright"], check=True)
subprocess.run(["python", "-m", "playwright", "install", "chromium"], check=True)

Recommendation

Require explicit user confirmation before dependency installation, move dependencies into a declared install spec, and pin package/browser versions.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Private or confidential presentation scripts may be sent to the TTS provider to create narration.

Why it was flagged

Narration text is passed to Edge TTS to generate audio, which implies external provider communication for the supplied script.

Skill content

communicate = edge_tts.Communicate(
        text,
        voice,
        rate=rate,
        pitch=pitch
    )
    
    await communicate.save(output)

Recommendation

Disclose the TTS provider clearly and avoid submitting sensitive scripts unless the user accepts that external processing.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

If used as-is, generated videos may include unrelated branding or sample text that the user did not intend to publish.

Why it was flagged

The included HTML template contains fixed sample branding/content rather than neutral placeholders.

Skill content

<h1 class="title">SenseNova 6.7 Flash-Lite</h1>
<p class="subtitle">工作效果展示与未来展望</p>
...
<span class="footer-text">商汤科技 AI 助手</span>

Recommendation

Preview generated slides and replace hardcoded template text with user-provided placeholders before using HTML mode.