Article to Infographic
ReviewAudited by ClawScan on May 10, 2026.
Overview
The infographic workflow is mostly coherent, but the optional PNG export helper can automatically install unpinned Playwright/Chromium components into the local environment without a clear install-time approval.
The HTML infographic generation workflow appears purpose-aligned. Be cautious with PNG export: run it only in a virtual environment or container, review/approve any dependency installation, and avoid exporting untrusted HTML with remote scripts or resources.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Choosing PNG export could change your Python installation and download third-party browser components before producing the image.
The PNG export helper automatically installs an unpinned PyPI package and downloads Chromium at runtime. This is not represented by the no-install/no-required-binaries metadata and uses --break-system-packages.
subprocess.check_call([sys.executable, "-m", "pip", "install", "playwright", "-q", "--break-system-packages"], ...); ... [sys.executable, "-m", "playwright", "install", "chromium"]
Require explicit user approval before installing dependencies, declare them in the install spec, pin versions where possible, and install inside a virtual environment or container instead of using --break-system-packages.
If the exporter is run on arbitrary HTML, scripts or external resources in that file may execute or load during screenshot generation.
The exporter renders a local HTML file in headless Chromium and executes browser-side JavaScript. This is expected for PNG screenshot export, but it should be limited to trusted/generated HTML.
browser = p.chromium.launch(headless=True) ... page.goto(file_url, wait_until="networkidle") ... page.evaluate(""" ... """)Use the exporter only on trusted infographic HTML, keep generated output self-contained, and consider blocking remote resources for stricter isolation.
A supposedly self-contained infographic may make network requests when opened if remote fonts are included.
The skill advertises self-contained, zero-dependency HTML, but the style reference includes external font CDN examples. If used in generated output, opening the HTML would contact third-party font services.
<link rel="preconnect" href="https://fonts.googleapis.com"> ... <link href="https://api.fontshare.com/v2/css?..." rel="stylesheet">
Disclose any remote font use clearly, or prefer system fonts/embedded assets to preserve the self-contained promise.