critical
suspicious.dangerous_exec
- Location
- scripts/html_to_pptx.js:60
- Finding
- Shell command execution detected (child_process).
present-ppt
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Using the skill runs local Node.js code from the skill package to create the PPTX.
Why it was flagged
The main script launches another bundled Node script for the v9 preset path. This is executable local code, but it is disclosed by the CLI workflow and aligned with the conversion purpose.
Skill content
execFileSync(process.execPath, args, { stdio: 'inherit' });Recommendation
Run it only from a trusted skill directory and keep input/output paths user-directed.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installation may fetch and run standard npm package installation behavior even though the registry requirements section does not advertise required binaries.
Why it was flagged
The skill depends on npm-installed packages, which is normal for a Node-based converter, but the registry metadata has no install spec or required binary declarations.
Skill content
From the skill directory:\n\n```bash\nnpm ci\n```\n\nIf that fails ...\n\n```bash\nnpm install\n```
Recommendation
Prefer `npm ci` with the included lockfile, and review dependency changes if falling back to `npm install`.
NoteMedium Confidence
ASI10: Rogue AgentsWhat this means
If the agent extends the skill, future conversions may use newly added code or mappings.
Why it was flagged
The skill documents modifying its own scripts to add new presets. This is purpose-aligned for an extensible converter, but it can persistently change future skill behavior.
Skill content
Update `scripts/html_to_pptx.js` so it can... accept `--preset=<your-preset>` and dispatch to the new renderer
Recommendation
Ask for user approval before changing skill files, keep changes scoped to the new preset, and retain a backup or version history.