Dashboard Design For Trials
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to be a coherent local dashboard HTML generator with no evidenced credential use, network access, or hidden behavior, though it does run a Python script and write an output file.
This looks safe to use as a local dashboard mockup generator. Before installing or invoking it, be aware that it runs a Python script and writes an HTML file; keep the output path inside your workspace and avoid putting real patient-identifiable data or untrusted HTML/script text into the dashboard fields.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The user's agent may run local Python code to generate the dashboard file.
The skill is intended to run a local Python script. This is purpose-aligned for a tool/script skill, but users should notice that invoking it executes included code locally.
python scripts/main.py [options]
Run it from a normal workspace, avoid elevated privileges, and review the script before use if the source is unfamiliar.
The tool can create or overwrite an HTML file at the specified path, subject to normal filesystem permissions.
The skill lets the caller choose the output HTML path. This is expected for a dashboard generator, but it means the file destination should be chosen carefully.
`--output` | string | dashboard.html | No | Output HTML file path |
Use a workspace-relative output path and avoid pointing it at protected, shared, or important existing files.
A dashboard generated from untrusted study identifiers or names could contain unexpected HTML or script content.
A command-line value is inserted directly into generated HTML in the visible code. If untrusted text containing HTML or script markup is used, it could become active content when the generated file is opened.
<title>临床试验Dashboard - {args.study_id}</title>Use trusted plain-text inputs, avoid embedding patient-identifiable or untrusted markup, and HTML-escape user-supplied fields before sharing generated dashboards.
The install view may not clearly warn that Python is needed and that local code will be run.
The registry metadata does not declare a runtime dependency, while SKILL.md documents running a Python script. This is a metadata/provenance clarity issue, not evidence of malicious behavior.
No install spec — this is an instruction-only skill. Required binaries (all must exist): none
Declare Python as a required runtime and keep metadata aligned with SKILL.md.