Osop Report
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a straightforward local OSOP-to-HTML report generator, with routine dependency and local-report privacy considerations.
This skill looks safe to use for its stated purpose, but treat generated HTML reports as potentially sensitive because they may include workflow inputs, outputs, AI metadata, tool usage, and reasoning. Review reports before sharing them, and install the PyYAML dependency in an isolated or trusted environment if dependency reproducibility matters.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installation may fetch the current resolved PyYAML package version rather than a fixed, reproducible version.
The skill installs PyYAML from the package ecosystem without a version pin shown. This is purpose-aligned for YAML parsing, but it relies on the resolved external package at install time.
uv | package: pyyaml
Install in a normal isolated environment and consider pinning or reviewing the resolved dependency if reproducible builds are important.
Anyone who can access or receives the generated HTML report may see details from the original workflow and execution log.
The skill intentionally copies workflow/log content into a persistent local HTML report. This is disclosed and purpose-aligned, but those logs can contain sensitive prompts, outputs, reasoning, costs, or operational details.
Save the HTML next to the source file with `-report.html` suffix ... inputs/outputs, AI metadata, tool usage, reasoning
Review generated reports before sharing them, avoid including secrets in OSOP logs, and store reports in an appropriate private location.