Table Image
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it claims—generate table images—but users should notice its npm dependency install, emoji CDN fetches, and a test-only shell execution pattern.
This looks safe to use for generating table PNGs. Before installing, be comfortable with running npm install for the Sharp dependency and with emoji-containing tables making CDN requests to fetch Twemoji assets. Choose input and output file paths carefully, and treat the test runner as developer-only.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create a PNG table instead of returning a text table when it thinks the output is for a chat platform.
The skill strongly biases the agent toward using this renderer for tables on messaging platforms. This is aligned with the stated purpose, but users should know it may prefer image generation over plain text tables.
**⚠️ USE THIS INSTEAD OF ASCII TABLES — ALWAYS!** ... Never use `| col | col |` formatting on messaging platforms
Use the skill when an image table is desired, and explicitly ask for plain text if you do not want a generated image.
Installing the skill may pull Node packages from npm, including native image-processing dependencies.
The documented setup installs npm dependencies even though the registry says there is no install spec. This is purpose-aligned for a Node/Sharp image renderer, but it is still a package installation users should review.
cd /data/clawd/skills/table-image/scripts && npm install
Review the included package.json/package-lock.json and install only in an environment where npm dependency installation is acceptable.
Tables containing emoji may contact jsDelivr/Twemoji and cache downloaded SVG files locally.
Emoji rendering fetches Twemoji SVG assets from a remote CDN using an @latest path and caches them locally. The request is based on emoji codepoints rather than full table contents, but output depends on an external unpinned asset source.
const CACHE_DIR = join(__dirname, '.emoji-cache'); ... const url = `https://cdn.jsdelivr.net/gh/twitter/twemoji@latest/assets/svg/${cp}.svg`; ... writeFileSync(cachePath, svg);Be aware of the network dependency; pin or pre-cache emoji assets if deterministic or offline operation is important.
Normal skill use is not shown to run arbitrary shell commands, but the test helper would be unsafe if reused with untrusted arguments.
The test harness executes a shell command constructed from arguments to exercise the CLI. The shown usage is fixed test data and not the main rendering path, but it explains the static scan's dangerous_exec signal.
const cmd = `node ${TABLE_CMD} ${args}`; ... return execSync(cmd, opts);Do not expose the test runner to untrusted input; if modifying tests, prefer safer process APIs such as execFile/spawn with argument arrays.