Report Creator
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill is reasonable to use for generating reports if you are comfortable with it reading the files or URLs you provide and writing local HTML outputs. Keep backups before using --review, avoid sharing generated HTML that contains private information, and do not provide credentials or payment authority unless a future version clearly documents that need. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user reviews the wrong file or lacks a backup, the original HTML report can be changed in place.
Review mode is explicitly documented as an automatic, non-interactive refinement that writes changes back to the specified HTML file.
`--review` ... `将优化后的 HTML 写回原文件` ... `不是交互式确认流程`
Use version control or a backup before --review, and use --output when you want a separate generated file.
The supplied artifacts do not show a reason to provide payment authority or sensitive credentials for this report generator.
These automated capability signals would imply sensitive authority, but they conflict with the visible requirements declaring no credentials and no env vars; no provided SKILL text shows purchase or credential workflows.
- can-make-purchases - requires-sensitive-credentials
Do not provide credentials or authorize purchases unless a future version clearly documents why they are needed and how they are scoped.
Users have less registry-level provenance context when deciding whether to run optional local scripts.
Registry provenance is not fully described, while the package contains optional helper scripts that a user may run for exports or validation.
Source: unknown; Homepage: none
Install from a trusted source and verify the repository/version before running helper scripts or manual git-clone installs.
Using --export-image may execute local helper code as part of producing screenshots or image outputs.
The image-export feature explicitly runs a bundled local Python helper after HTML generation.
`--export-image [mode]` | After HTML generation, run `scripts/export-image.py`
Use --export-image only when needed, and review or trust the installed helper script before running it.
If a report contains private data, sharing the HTML may also share structured summaries or raw component data that downstream agents can easily read.
Generated reports intentionally preserve summaries and component data in machine-readable HTML fields.
Every generated HTML embeds machine-readable structure: `Layer 1 — <script id="report-summary">` ... `Layer 3 — data-component data-raw`
Review generated HTML before sharing externally, especially when source notes contain confidential metrics, customer data, or internal decisions.