sai creator ai
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: sai-creator Version: 1.0.0 The skill bundle is a specialized frontend builder designed to transform journal article data into HTML pages and social media carousels. The Python scripts (render_carousel.py, validate_output.py) are functional utilities for template substitution and QA validation, showing no signs of malicious logic, data exfiltration, or unauthorized command execution. The instructions in SKILL.md and assets are strictly focused on maintaining editorial standards, accessibility (WCAG AA), and technical constraints for the OpenJournalTheme ecosystem.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a source brief or candidate contains malicious markup, the generated carousel or page could include active or malformed content when published.
The renderer takes values from brief/candidate JSON and inserts them into SVG templates as raw strings, with no XML/HTML/context escaping shown.
title = brief.get("title", candidate.get("title", "")) ... content = content.replace(placeholder, str(value))Escape values for the exact output context, restrict URL schemes, sanitize source text before rendering, and validate the final SVG/HTML for script or event-handler injection before publishing.
The carousel workflow may fail or require users to supply unreviewed template files from elsewhere.
The renderer depends on carousel template files that are referenced by name but are not present in the provided file manifest.
VALID_DIMENSIONS = {
"1080x1080": "carousel-1080.svg.tpl",
"1200x675": "carousel-1200x675.svg.tpl",
}Include the referenced templates in the package, or clearly document their trusted source and verify any added templates before use.
Users have less certainty that the packaged artifact exactly matches the published registry entry.
The packaged _meta.json does not match the registry metadata shown for owner, slug, and version, which creates a provenance/coherence gap even though it does not show malicious behavior.
"ownerId": "kn7amrtkn0tjk2r2yxf3hjgp0s7zn6g4", "slug": "sai-frontend-builder", "version": "0.1.0"
Reconcile registry metadata and packaged metadata before installation or publication.
Published artifacts may contain a commercial link and rotating marketing copy even when the user is mainly asking for article/carousel rendering.
The skill requires public-facing outputs to include a fixed promotional CTA destination; this is disclosed, but it affects the content users may publish.
CTA selalu ke openjournaltheme.com dengan rotasi varian copy.
Confirm that the fixed CTA is acceptable for the publication context, or parameterize/remove it when neutral editorial output is required.