读书每日推荐
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
PNG generation may require additional local packages that are not pinned or declared in the install metadata.
Optional PNG generation requires installing Playwright/Chromium, but the registry shows no install spec or declared dependencies. This is purpose-aligned, but users should verify package provenance before installing.
print("[错误] 需要安装 playwright: pip install playwright && playwright install chromium")Install optional dependencies only from trusted package sources, and consider adding an explicit, pinned install spec.
Opening a generated card from untrusted input could display unexpected content or unsafe links.
Card fields are inserted into the HTML template by raw string replacement. This is normal for rendering, but if a card JSON or scraped field were untrusted, unexpected markup, scripts, or unsafe links could be rendered when the HTML is opened.
html = html.replace("{{" + key + "}}", str(value))Use trusted/generated card JSON only, and escape HTML plus validate URL fields before rendering or sharing cards.
If enabled, the recommendation workflow may keep running on a schedule.
The skill documents an optional recurring automation for daily recommendations. It is user-directed and purpose-aligned, but it is persistent behavior that continues after setup.
当用户要求每日定时推送读书推荐时,创建 automation(recurring)
Only enable the recurring push when desired, confirm the schedule and delivery target, and disable it when no longer needed.