Skillv1.0.0

ClawScan security

Ppt Generator Template · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 6:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a simple PPT/HTML generator: it splits text into slides and writes an HTML file to the current working directory, with no network access or secret requests.
Guidance: This skill appears coherent and implements a local HTML slide generator. Before installing, note: (1) it writes files named presentation-<timestamp>.html into the agent's current working directory—confirm you are comfortable with the agent writing files there; (2) it is a Node script and requires a Node runtime to execute — the skill itself doesn’t install Node; (3) SKILL.md mentions template.html and an assets/ directory that are not included, so styling/custom assets may be incomplete; (4) the code performs no network calls and requests no secrets, which reduces exfiltration risk. If you allow the agent filesystem access and Node execution, this skill is reasonable; if you do not want the agent to create files or run Node code, do not enable it. If you want higher assurance, inspect the included index.js yourself or run it in a sandboxed environment first.

Purpose & Capability: noteThe name/description (Jobs‑style PPT generator) match the included index.js and example.html which generate a standalone HTML presentation. Minor inconsistency: SKILL.md mentions template.html and an assets/ directory that are not present in the file manifest (only example.html and index.js are included). This looks like an editorial/incomplete-template issue, not a security mismatch.
Instruction Scope: okSKILL.md describes receiving user speech, splitting content into slides, and producing an HTML file. The runtime code implements exactly that: it splits text, produces HTML, and writes presentation-<timestamp>.html. The instructions and code do not read unrelated system files, access environment variables, or transmit data externally.
Install Mechanism: okThere is no install spec (instruction-only skill) and no downloads. The single code file is standard Node.js code using built-in fs/path modules; nothing is fetched or extracted from external URLs.
Credentials: okThe skill requests no environment variables, no credentials, and the code does not reference process.env or any external secrets. The file-write behavior (writing to the current working directory) is proportionate to generating an output HTML file.
Persistence & Privilege: okThe skill does not request permanent/always-on presence and does not modify other skills or global agent configuration. It writes files to cwd only (expected for a generator).