gamma Security Report — Trusted | ClawSafe

0 /100

gamma

Create presentations, documents, social posts, and web pages via the Gamma.app API

This is a legitimate Gamma.app API wrapper with no malicious behavior, no sensitive resource access, and accurate documentation matching its declared functionality.

Skill Namegamma

Duration31.6s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as documented.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem read/write operations in gamma.sh
Network	`READ`	`READ`	✓ Aligned	gamma.sh:52 — only connects to https://public-api.gamma.app/v1.0
Shell	`WRITE`	`WRITE`	✓ Aligned	gamma.sh:18 — uses curl and python3 for API calls; bash is the runtime, not arbi…
Environment	`READ`	`READ`	✓ Aligned	gamma.sh:45 — reads GAMMA_API_KEY only; no iteration over os.environ
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

5 findings

🔗

Medium External URL 外部 URL

https://gamma.app

SKILL.md:6

🔗

Medium External URL 外部 URL

https://developers.gamma.app/docs/getting-started

SKILL.md:21

🔗

Medium External URL 外部 URL

https://gamma.app/settings

SKILL.md:28

🔗

Medium External URL 外部 URL

https://public-api.gamma.app/v1.0

SKILL.md:31

🔗

Medium External URL 外部 URL

https://gamma.app/docs/xxx

references/api-reference.md:62

File Tree

3 files · 16.7 KB · 490 lines

Shell 1f · 275L Markdown 2f · 215L

├─ ▾ 📁 references

│ └─ 📝 api-reference.md Markdown 87L · 3.8 KB

├─ ▾ 📁 scripts

│ └─ 🔧 gamma.sh Shell 275L · 8.2 KB

└─ 📝 SKILL.md Markdown 128L · 4.7 KB

Security Positives

✓ Documentation accurately describes all functionality — no doc-to-code mismatch

✓ Network access is restricted to a single, declared API endpoint: https://public-api.gamma.app/v1.0

✓ API key is only transmitted to the declared Gamma API, not exfiltrated elsewhere

✓ Uses safe tooling: curl for HTTP, python3 for JSON parsing — no subprocess with user-controlled input

✓ No credential harvesting — only reads GAMMA_API_KEY for its own use

✓ No base64-encoded payloads, no eval(), no obfuscation

✓ No remote script execution (curl|bash, wget|sh)

✓ No supply chain risk — no third-party dependencies or package installations

✓ No sensitive file or path access (~/.ssh, ~/.aws, .env files)

✓ Uses defensive bash practices (set -euo pipefail)

✓ Error handling via die() function with clear messages

Scan Report

File Tree

Security Positives