Html Anything
ReviewAudited by ClawScan on May 12, 2026.
Overview
Html Anything is a coherent instruction-only webpage generator, but it can read user-selected private files or URLs and may embed raw data inside the HTML it creates.
Install only if you are comfortable letting the agent inspect the specific files, folders, or URLs you provide. Use copies or narrow folders for sensitive data, and review the generated HTML before sharing because raw source data may be embedded inside it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you point it at a large folder or a private URL, the agent may read more source material than you intended for the page.
The skill asks the agent to inspect local files/folders and fetch or inspect URLs. This is central to the HTML-generation purpose, but it is still broad source access.
Handle these input modes automatically: ... Local file | Inspect the file ... Folder | Inspect structure and representative files ... URL | Fetch or inspect the URL when possible
Provide the smallest relevant file, folder, or URL, and ask for confirmation before broad folder inspection when the contents are private.
Sharing or publishing the generated HTML can disclose the full underlying data, including rows hidden behind collapsible drill-downs.
Some generated pages are designed to persist the raw source dataset inside the HTML, not only a summary. For finance and similar exports, that can include sensitive personal or business records.
Searchable transactions table drill-down ... with the full file inlined client-side.
Before sharing, open the HTML and check whether raw logs, transactions, messages, or records are embedded; redact or anonymize sensitive data first.
A generated page may still contact an external font provider unless the output is checked or the font import is removed.
The prompts strongly frame generated pages as offline/local while also allowing an external Google Fonts resource. That exception could confuse users who need a strictly offline artifact.
Privacy-first, offline-only. The page must not make any network calls ... The only allowed external resource is the Google Fonts import
If strict offline privacy matters, inspect the generated HTML for external links, scripts, fonts, or CSS imports before opening or sharing it.