Macaron Card Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for making card images, but it appears to insert card text directly into HTML that is then rendered in a browser, which could let malicious content run as active HTML or JavaScript.
Review this skill before installing if you expect it to process pasted web content, third-party text, or other untrusted input. It appears safe for trusted plain-text card generation, but the maintainer should escape or sanitize content before HTML rendering.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted text snippet used as card content could alter the rendered page, run JavaScript in the browser context, make network requests, or disrupt screenshot generation.
Visible source shows JSON-derived text fields being interpolated directly into generated HTML. Since SKILL.md then instructs rendering the HTML with a browser screenshot tool, untrusted card content containing HTML or JavaScript could become active markup/script instead of plain text.
''.join(f'<span class="tag">{t}</span>' for t in tags) ... <div class="card-title">{title}</div> ... {body_html}Escape all user-provided fields before inserting them into HTML, or sanitize to a strict allowlist. Until fixed, use only trusted plain-text content and render screenshots in an isolated browser profile with scripts disabled if possible.