Table Image
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: table-image-generator Version: 1.4.0 The skill bundle is benign. It generates table images from JSON data using the `sharp` library. File system operations are limited to reading input data/avatar, writing output images, and caching emoji SVGs. Network activity is restricted to fetching Twemoji SVGs from a legitimate CDN (cdn.jsdelivr.net). There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts against the AI agent. The `execSync` calls in the test script (`tests/table.test.mjs`) are used with internally controlled, safe arguments and do not pose a practical shell injection risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create a PNG table instead of returning a text table when it thinks the output is for a chat platform.
The skill strongly biases the agent toward using this renderer for tables on messaging platforms. This is aligned with the stated purpose, but users should know it may prefer image generation over plain text tables.
**⚠️ USE THIS INSTEAD OF ASCII TABLES — ALWAYS!** ... Never use `| col | col |` formatting on messaging platforms
Use the skill when an image table is desired, and explicitly ask for plain text if you do not want a generated image.
Installing the skill may pull Node packages from npm, including native image-processing dependencies.
The documented setup installs npm dependencies even though the registry says there is no install spec. This is purpose-aligned for a Node/Sharp image renderer, but it is still a package installation users should review.
cd /data/clawd/skills/table-image/scripts && npm install
Review the included package.json/package-lock.json and install only in an environment where npm dependency installation is acceptable.
Tables containing emoji may contact jsDelivr/Twemoji and cache downloaded SVG files locally.
Emoji rendering fetches Twemoji SVG assets from a remote CDN using an @latest path and caches them locally. The request is based on emoji codepoints rather than full table contents, but output depends on an external unpinned asset source.
const CACHE_DIR = join(__dirname, '.emoji-cache'); ... const url = `https://cdn.jsdelivr.net/gh/twitter/twemoji@latest/assets/svg/${cp}.svg`; ... writeFileSync(cachePath, svg);Be aware of the network dependency; pin or pre-cache emoji assets if deterministic or offline operation is important.
Normal skill use is not shown to run arbitrary shell commands, but the test helper would be unsafe if reused with untrusted arguments.
The test harness executes a shell command constructed from arguments to exercise the CLI. The shown usage is fixed test data and not the main rendering path, but it explains the static scan's dangerous_exec signal.
const cmd = `node ${TABLE_CMD} ${args}`; ... return execSync(cmd, opts);Do not expose the test runner to untrusted input; if modifying tests, prefer safer process APIs such as execFile/spawn with argument arrays.