Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Article to Infographic
v1.0.0Transform articles, blog posts, reports, or any text content into visually stunning, self-contained HTML infographics. Use when the user wants to convert tex...
⭐ 0· 808·1 current·1 all-time
byFrank Shen@fengsh0923
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, references, templates, and the html_to_png.py script are coherent with an article→infographic generator. However, skill.json advertises a fault-tolerant PNG fallback chain (Playwright → Selenium → wkhtmltoimage → CutyCapt) while the provided script implements only Playwright. The presence of optional dependencies for multiple rendering tools without corresponding code is an inconsistency.
Instruction Scope
SKILL.md confines actions to acquiring article content (URL/file/text), analyzing it, interactive multi-step confirmations, generating a single self-contained HTML, and optionally exporting to PNG. It explicitly requires explicit user confirmations at several points (good). It references fetching URLs (WebFetch) and reading files provided by the user, which is expected for this skill and is not out-of-scope.
Install Mechanism
There is no formal install specification; instead, scripts/html_to_png.py will attempt to install Playwright (pip install playwright) and run `playwright install chromium` at runtime via subprocess. Automatic pip/browser installation during execution can download code and write to the environment, and the script uses the pip flag `--break-system-packages` which can alter system package isolation. Because the skill lacks a declared, reviewed install mechanism and will perform network installs at runtime, this is a moderate risk and should be run in a controlled/sandboxed environment.
Credentials
The skill requests no environment variables, credentials, or config paths. The references and changelog mention external font CDNs (including China mirrors like fonts.loli.net and fonts.font.im) and third-party illustration sources; these are reasonable for rendering/display but are external network endpoints to be aware of. No credentials are requested, which is proportionate.
Persistence & Privilege
The skill is not always-included and does not request elevated or persistent platform privileges. The only persistent side-effect implied is installing packages/browser binaries when running the PNG export script; it does not modify other skills or system config beyond installing dependencies.
What to consider before installing
This skill appears to do what it says (generate HTML infographics) and enforces explicit confirmation steps, which is good. Two things to watch out for before installing or running it: (1) The included Python script will try to install Playwright and download Chromium at runtime (via pip and playwright install). That performs network downloads and writes packages/browsers to the environment — run it only in a sandbox or on a machine where you permit new packages. (2) skill.json advertises multiple PNG fallback tools (Selenium, wkhtmltoimage, CutyCapt) but the shipped script implements only Playwright; that mismatch may indicate incomplete implementation. Recommended actions: review the html_to_png.py contents (you have them), run PNG export only in an isolated environment if you need it, or ask the author to provide an explicit install spec (or a packaged binary) and to remove or justify the use of --break-system-packages. If you are uncomfortable with on-demand package installs or external font/CDN calls, use the skill for HTML-only generation and avoid the PNG export step.Like a lobster shell, security has layers — review code before you run it.
latestvk97dcah5d8ys23hddrvdbkw5nd81rs1w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.