Infographic creator socials
PassAudited by ClawScan on May 7, 2026.
Overview
The skill matches its stated purpose of generating social infographics, but users should know it uses an OpenAI API key, can send prompts and selected images to OpenAI, downloads favicons, and stores local project assets.
This skill appears safe for its stated purpose. Before installing, confirm you are comfortable using an OpenAI API key, sending selected prompts/images to OpenAI, downloading favicons from Google, and keeping generated assets and prompt files in the local infographics folder.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may use your OpenAI account and incur provider charges.
The renderer uses the local OpenAI client credential to call the image API. This is expected for gpt-image-2 generation, but it grants API-spend authority and is not reflected in the registry's primary credential field.
OPENAI_API_KEY=sk-... python3 generate.py ... ... client = OpenAI()
Use an OpenAI key intended for this project, monitor usage, and revoke or rotate the key if you stop using the skill.
Any prompt text, avatar, logo, or screenshot selected as a reference may be sent to OpenAI for rendering.
The code uploads the prompt and selected reference image files to OpenAI. The script restricts reference images to assets_dir, which helps, but user-provided avatars or screenshots may still contain sensitive information.
result = client.images.edit(
model=model,
image=files,
prompt=prompt,
size=api_size,
quality=quality,
)Only place images in the assets folder that you are comfortable sending to OpenAI, and redact private details from screenshots before rendering.
Brand or domain names used in the infographic may be requested from Google, and downloaded image files will be saved locally.
The workflow instructs the agent to make external Google favicon requests and write downloaded files into the assets directory. This is purpose-aligned asset enrichment, but it is external network and file-write activity.
Brand favicons via Google's favicon service ... Download with `curl -sL <url> -o assets/<name>.png`.
Avoid using confidential internal domains unless you are comfortable sending them to Google's favicon service; review downloaded assets before use.
Installing dependencies may pull newer package versions than originally tested.
The setup example installs unpinned Python packages from the package ecosystem. The instruction recommends a virtualenv and asks before system-wide install, which reduces risk, but the versions are still not fully pinned.
python3 -m venv .venv && source .venv/bin/activate pip install --quiet "openai>=1.0" "cairosvg>=2.7"
Use the virtualenv approach, avoid system-wide installs, and pin or review dependency versions in environments where reproducibility matters.
People or tools with access to the project folder may see prior prompt content, branding details, or avatar references.
The skill keeps local state and generated prompts for reuse across sessions. This supports consistent branding, but it means handle, avatar path, theme, and prompt content may persist in the project directory.
style.json # active theme (filled at runtime: accent color, handle, avatar path) ... prompts/ # one .py file per generated piece, kept for re-rendering ... reuse the existing `style.json`
Keep the infographics folder private, and delete or sanitize assets, prompts, and style.json when they contain sensitive information.