[ClawHub Appeal] Slide Editor (@dtacheng/slide-editor) flagged as suspicious - Request for review
Resolved 💬 2 comments Opened Mar 14, 2026 by DTacheng Closed Mar 14, 2026
Appeal: Slide Editor Skill Flagged as Suspicious
Summary
My skill Slide Editor (npm: @dtacheng/slide-editor) has been flagged as suspicious by ClawHub security. I believe this is a false positive and would like to request a review.
Project Information
- Package:
@dtacheng/slide-editor - npm: https://www.npmjs.com/package/@dtacheng/slide-editor
- GitHub: https://github.com/DTacheng/slide-editor
- License: MIT
What This Project Does
This is a browser-based visual editor for HTML presentations. It is:
- 100% offline - No network calls whatsoever
- Self-contained - Single bundle file, no external dependencies at runtime
- Open source - Full source code available on GitHub and npm
Why This Was Likely Flagged
Looking at the ClawHub scan results, the concerns seem to be:
- File system access - The CLI script (
inject.ts) reads the bundle and writes to HTML files. This is necessary for its function: injecting the editor into HTML files.
- Browser launch - The
--openflag usesopen/xdg-opento open the HTML file in a browser after injection.
- Script injection - The tool injects a
<script>tag into HTML files. This is the core functionality - it adds the editor to HTML presentations.
Evidence of Safety
- No network calls: I searched the entire
src/directory forfetch,XMLHttpRequest,WebSocket,navigator.sendBeacon, and HTTP imports - none found. The code is purely local DOM manipulation.
- Open source & auditable:
- Full TypeScript source on GitHub
- Published to npm with source maps
- Clear commit history showing project evolution
- Legitimate use case: This is a visual editor for creating HTML slides - similar to tools like reveal.js editors, but designed to work offline and be embeddable.
- Limited scope:
- Only reads/writes files the user explicitly specifies
- Only opens browsers when user uses
--openflag - No credential access, no system-wide changes
Request
Could you please review this skill and remove the "suspicious" flag if you agree this is a false positive? I'm happy to provide any additional information or make changes to improve transparency (e.g., adding explicit security/privacy statements to the README).
Thank you!
---
Additional Context
The ClawHub scan itself noted:
"This appears to be a straightforward local HTML slide editor"
And confirmed:
"Nothing in the instructions directs the agent to read unrelated system files or to transmit page contents to external endpoints."
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗