[ClawHub Appeal] Slide Editor (@dtacheng/slide-editor) flagged as suspicious - Request for review

Resolved 💬 2 comments Opened Mar 14, 2026 by DTacheng Closed Mar 14, 2026

Appeal: Slide Editor Skill Flagged as Suspicious

Summary

My skill Slide Editor (npm: @dtacheng/slide-editor) has been flagged as suspicious by ClawHub security. I believe this is a false positive and would like to request a review.

Project Information

What This Project Does

This is a browser-based visual editor for HTML presentations. It is:

  • 100% offline - No network calls whatsoever
  • Self-contained - Single bundle file, no external dependencies at runtime
  • Open source - Full source code available on GitHub and npm

Why This Was Likely Flagged

Looking at the ClawHub scan results, the concerns seem to be:

  1. File system access - The CLI script (inject.ts) reads the bundle and writes to HTML files. This is necessary for its function: injecting the editor into HTML files.
  1. Browser launch - The --open flag uses open/xdg-open to open the HTML file in a browser after injection.
  1. Script injection - The tool injects a <script> tag into HTML files. This is the core functionality - it adds the editor to HTML presentations.

Evidence of Safety

  1. No network calls: I searched the entire src/ directory for fetch, XMLHttpRequest, WebSocket, navigator.sendBeacon, and HTTP imports - none found. The code is purely local DOM manipulation.
  1. Open source & auditable:
  • Full TypeScript source on GitHub
  • Published to npm with source maps
  • Clear commit history showing project evolution
  1. Legitimate use case: This is a visual editor for creating HTML slides - similar to tools like reveal.js editors, but designed to work offline and be embeddable.
  1. Limited scope:
  • Only reads/writes files the user explicitly specifies
  • Only opens browsers when user uses --open flag
  • No credential access, no system-wide changes

Request

Could you please review this skill and remove the "suspicious" flag if you agree this is a false positive? I'm happy to provide any additional information or make changes to improve transparency (e.g., adding explicit security/privacy statements to the README).

Thank you!

---

Additional Context

The ClawHub scan itself noted:

"This appears to be a straightforward local HTML slide editor"

And confirmed:

"Nothing in the instructions directs the agent to read unrelated system files or to transmit page contents to external endpoints."

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗