Briefing-pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s briefing purpose is coherent, but its HTML templates appear to render arbitrary input as active HTML, which could let malicious source content run in the generated page.
This skill is reasonable for making briefings from content you provide, but avoid using untrusted web pages or documents until the templates are hardened against HTML/script injection. For sensitive material, confirm which files or URLs are being processed and prefer image/PDF output from sanitized content.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious webpage or document could make the generated briefing page run unwanted browser script or alter the briefing output.
The template inserts generated briefing fields into innerHTML. Because the skill accepts arbitrary URL/file/text input and can output/open HTML, malicious content could become executable HTML or script unless another unshown layer sanitizes it.
document.getElementById('points').innerHTML = points.map(p => `<li class="point-item"><span class="point-icon">${p.icon}</span><span class="point-text">${p.text}</span></li>`).join('');Escape or sanitize all extracted/user text, use textContent or safe DOM construction instead of innerHTML, safely JSON-encode data including '</script>' escaping, and consider sandbox/CSP controls before opening generated HTML.
URLs and files you provide may be fetched or parsed to create the briefing, so confidential inputs should be chosen deliberately.
The skill directs the agent to fetch URLs and parse selected documents/images. This is expected for generating briefings, but users should recognize that supplied content will be read and processed.
| URL 链接 | web_fetch 获取网页内容 | ... | PDF (.pdf) | pdfplumber 提取文字 | ... | 图片 | 图像识别提取信息 |
Use only URLs and files you intend to summarize, and confirm before processing sensitive documents or images.
Successful operation may depend on external tools or another skill whose exact implementation is not included in this artifact set.
The skill references document-parsing libraries and another skill, while the registry lists no install specification or required binaries. No hidden installer is shown, so this is a dependency-disclosure note rather than evidence of malicious behavior.
**Word/Excel/PDF**:使用 Python 库提取 ... 本 Skill 使用了 [frontend-slides](https://clawhub.com/skill/frontend-slides)
Maintain clear dependency declarations and review the referenced rendering skill or libraries before relying on this in sensitive workflows.