词霸每日一句
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may contact external URLs and use returned data, images, and TTS links in the generated card.
The renderer can fetch a configurable API endpoint over HTTP(S). This is central to the skill's purpose, but it means custom endpoints or input data should be trusted.
parser.add_argument("--api-url", default=DEFAULT_API_URL, help="iciba daily sentence endpoint") ... with urlopen(req, timeout=timeout) as response:Use the default Iciba endpoint or another trusted endpoint, and review the generated QR/TTS URL before sharing cards publicly.
Installing dependencies from package registries carries normal supply-chain risk.
The skill may require installing third-party Python packages and a browser runtime outside an install spec. This is expected for rendering, but versions and provenance are not pinned in the artifacts.
missing dependency. install with: pip install pillow qrcode playwright && playwright install chromium
Install dependencies in a trusted environment, consider pinning package versions, and review the full script before running if higher assurance is needed.
Running the skill may start a local Chromium/Playwright browser process.
The workflow intentionally launches browser automation to render HTML into PNG. The bundled templates are static, but custom templates should be treated as executable browser content.
Render the selected HTML template to PNG with Playwright.
Use the bundled templates or only render templates from trusted sources.