Back to skill
Skillv1.0.0
ClawScan security
HTML DOM To Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 1:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with its stated purpose (convert DOM nodes to images); it is instruction-only and asks the user to install the html-to-image npm package, which is expected but should be verified before use.
- Guidance
- This skill appears coherent and low-risk in itself: it simply documents how to use the html-to-image npm library in a browser/React context. Before installing or running commands the agent suggests, verify the npm package (look up 'html-to-image' on npm/GitHub, check repository URL, maintainers, and star/download counts), pin a specific version, and run `npm audit` if you install it. Be cautious about converting DOM content that contains secrets or sensitive user data (images will embed whatever is visible in the DOM). Also note CORS and large-DOM limitations mentioned in the doc. Because the skill metadata lacks a homepage/source, confirm you are installing the legitimate package rather than a similarly named one.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md: all instructions describe converting DOM nodes to PNG/JPEG/SVG/Blob and related rendering options. The npm package referenced (html-to-image) is appropriate for this purpose.
- Instruction Scope
- okSKILL.md stays within scope: it describes client-side DOM operations, rendering options, and download flow (creating an <a> link and clicking it). It does not instruct reading unrelated files, environment variables, or exfiltrating data to third-party endpoints.
- Install Mechanism
- noteThere is no registry install spec (the skill is instruction-only), but SKILL.md tells the user to run `npm install html-to-image`. That is normal for a JS library but you should verify the npm package/source (homepage/repo, maintainer) before installing because the skill metadata lacks a homepage/source URL.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths and the instructions do not reference any. This is proportional for a client-side DOM-to-image helper.
- Persistence & Privilege
- okThe skill is not always-enabled and makes no request for persistent privileges or to modify other skills or system settings. It is instruction-only and does not persist state.