Open Slide
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or scaffolding a deck may run code from external package sources.
These commands fetch and run the upstream open-slide CLI at use time without a pinned version. This is expected for scaffolding an open-slide deck, but it means the user is trusting external npm package content.
pnpm dlx @open-slide/cli init <deck-name> # or: npx @open-slide/cli init <deck-name>
Use trusted package registries, consider pinning package versions, and review the upstream open-slide project before using it in sensitive environments.
The skill can open a URL in a local browser and create or overwrite a PDF at the chosen output path.
The export helper launches Chromium, opens the provided slide URL, captures screenshots, and writes them into a PDF. This is central to the stated PDF export purpose, but it is still local browser automation and file creation.
browser = await p.chromium.launch() ... await page.goto(args.url, wait_until="domcontentloaded", timeout=60000) ... await page.screenshot(path=img_path, full_page=False)
Export only trusted/local slide URLs and verify the output path before running the export.
If pointed at a logged-in browser session, the export could render content available to that session.
When the optional --cdp argument is supplied, the script can attach to an already-running Chromium instance and reuse its first browser context, which could include existing session state. The default path launches a fresh browser instead.
browser = await p.chromium.connect_over_cdp(args.cdp)
...
if contexts:
ctx = contexts[0]Prefer the default isolated browser launch. Use --cdp only with a browser session you intentionally want the script to access.