词霸每日一句
PassAudited by ClawScan on May 5, 2026.
Overview
This appears to be a coherent Iciba daily-sentence card generator, with expected network fetching, local rendering, and dependency-install considerations but no evidence of credential theft or hidden destructive behavior.
This skill looks safe for its stated purpose if you are comfortable with it fetching Iciba content, downloading images, rendering with Playwright/Chromium, and writing generated files locally. Use trusted API/template inputs, verify the QR/TTS target before sharing, and install dependencies from a trusted environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may contact external URLs and use returned data, images, and TTS links in the generated card.
The renderer can fetch a configurable API endpoint over HTTP(S). This is central to the skill's purpose, but it means custom endpoints or input data should be trusted.
parser.add_argument("--api-url", default=DEFAULT_API_URL, help="iciba daily sentence endpoint") ... with urlopen(req, timeout=timeout) as response:Use the default Iciba endpoint or another trusted endpoint, and review the generated QR/TTS URL before sharing cards publicly.
Installing dependencies from package registries carries normal supply-chain risk.
The skill may require installing third-party Python packages and a browser runtime outside an install spec. This is expected for rendering, but versions and provenance are not pinned in the artifacts.
missing dependency. install with: pip install pillow qrcode playwright && playwright install chromium
Install dependencies in a trusted environment, consider pinning package versions, and review the full script before running if higher assurance is needed.
Running the skill may start a local Chromium/Playwright browser process.
The workflow intentionally launches browser automation to render HTML into PNG. The bundled templates are static, but custom templates should be treated as executable browser content.
Render the selected HTML template to PNG with Playwright.
Use the bundled templates or only render templates from trusted sources.