Novel Character Graph
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a novel file or extracted character data contains HTML or script-like text, opening the generated report could run unwanted browser code.
Character names and descriptions are inserted directly into generated HTML/SVG without HTML escaping or sanitization.
<h3 class="text-xl font-bold text-orange-400 mb-2">{char['name']}</h3> ... {char.get('identity', '')} ... f'{char["name"][:4]}</text>'Escape all user-derived fields with html.escape, avoid inserting raw strings into HTML/SVG, and consider a restrictive Content Security Policy for generated reports.
Opening the report may contact third-party services, and the remote Tailwind script runs in the page that contains the generated analysis.
Generated reports load third-party JavaScript and fonts from external CDNs at viewing time.
<script src="https://cdn.tailwindcss.com"></script> ... @import url('https://fonts.googleapis.com/css2?family=Ma+Shan+Zheng&family=Noto+Sans+SC...Use bundled local CSS/assets for offline reports, or clearly warn users before generating HTML that depends on third-party web resources.
Running that example in the wrong folder could overwrite text files or convert files that were not intended for this project.
The reference handbook includes a user-directed bulk conversion command that overwrites every .txt file in the current directory after conversion.
for f in *.txt; do ... iconv -f GBK -t UTF-8 "$f" -o "${f%.txt}_utf8.txt" ... mv "${f%.txt}_utf8.txt" "$f" ... doneRun conversion commands only in a copy of the target folder, keep backups, and prefer writing converted files to a separate output directory.
The visible instructions look coherent, but hidden formatting/control characters reduce transparency and make the original source harder to audit.
The neutralized artifact metadata indicates hidden/comment content and Unicode control characters were removed from SKILL.md before display.
"hiddenCommentBlocksRemoved": 1, "controlCharactersRemoved": 6
Inspect the raw SKILL.md before installation and remove any hidden comments or Unicode control characters that are not necessary.