sai creator ai
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its content-rendering purpose, but its renderer appears to place source text into publishable markup without escaping, which can make malicious input unsafe when published.
Before installing or using this skill, verify the package metadata and missing carousel templates, and do not publish generated HTML/SVG until the renderer escapes or sanitizes all brief/candidate fields. Also confirm that the required openjournaltheme.com CTA is appropriate for your use case.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a source brief or candidate contains malicious markup, the generated carousel or page could include active or malformed content when published.
The renderer takes values from brief/candidate JSON and inserts them into SVG templates as raw strings, with no XML/HTML/context escaping shown.
title = brief.get("title", candidate.get("title", "")) ... content = content.replace(placeholder, str(value))Escape values for the exact output context, restrict URL schemes, sanitize source text before rendering, and validate the final SVG/HTML for script or event-handler injection before publishing.
The carousel workflow may fail or require users to supply unreviewed template files from elsewhere.
The renderer depends on carousel template files that are referenced by name but are not present in the provided file manifest.
VALID_DIMENSIONS = {
"1080x1080": "carousel-1080.svg.tpl",
"1200x675": "carousel-1200x675.svg.tpl",
}Include the referenced templates in the package, or clearly document their trusted source and verify any added templates before use.
Users have less certainty that the packaged artifact exactly matches the published registry entry.
The packaged _meta.json does not match the registry metadata shown for owner, slug, and version, which creates a provenance/coherence gap even though it does not show malicious behavior.
"ownerId": "kn7amrtkn0tjk2r2yxf3hjgp0s7zn6g4", "slug": "sai-frontend-builder", "version": "0.1.0"
Reconcile registry metadata and packaged metadata before installation or publication.
Published artifacts may contain a commercial link and rotating marketing copy even when the user is mainly asking for article/carousel rendering.
The skill requires public-facing outputs to include a fixed promotional CTA destination; this is disclosed, but it affects the content users may publish.
CTA selalu ke openjournaltheme.com dengan rotasi varian copy.
Confirm that the fixed CTA is acceptable for the publication context, or parameterize/remove it when neutral editorial output is required.