Product Description Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its product-copy purpose, but its bulk CSV script can write files outside the chosen output folder if product names contain path characters.
Review before installing. If you use bulk CSV generation, only run it on trusted CSVs or patch the filename handling first, and run it in a safe working directory. Also review generated marketing claims before publishing them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed CSV could create or overwrite local .md files outside the selected descriptions folder.
The CSV product value is used as a path component without sanitizing slashes, absolute paths, or '..', so crafted CSV content can make the script write outside the intended output directory.
filename = f"{row['product'].lower().replace(' ', '_')}.md"
output_path = os.path.join(output_dir, filename)
with open(output_path, "w", encoding="utf-8") as f:Sanitize product names into safe slugs, reject absolute paths and '..', resolve the final path, verify it stays inside output_dir, and avoid overwriting existing files without confirmation.
The skill may fail or users may look for undocumented extra files; this is a packaging/completeness issue rather than evidence of malicious behavior.
The skill documentation depends on Python execution and advertises helper scripts that are not included in the provided manifest, while the registry declares no required binaries or install spec.
python3 scripts/generate_description.py ... ### `generate_variations.py` ... ### `seo_analyzer.py`
Declare the Python runtime requirement and either include the documented helper scripts or remove those sections from SKILL.md.