ClawHub
Back to skill
v1.0.0

Social Media Cover Generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 2:27 AM.

Analysis

The skill’s behavior matches its stated purpose of generating cover images, but it relies on a headless browser and an unpinned third-party CDN script during conversion.

GuidanceThis skill appears consistent with its purpose. Before installing or using it, be aware that it renders local HTML through Puppeteer and loads snapdom from unpkg; for safer and more reproducible use, prefer pinned/local dependencies and only convert trusted generated HTML.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Must include snapdom: `<script src="https://unpkg.com/@zumer/snapdom/dist/snapdom.js"></script>`

The generated HTML is required to load snapdom from a third-party CDN at conversion time. This is disclosed and purpose-aligned, but the URL is not version-pinned or integrity-protected in the artifacts.

User impactThe conversion process depends on third-party JavaScript that could change over time, which may affect reliability or trust in the rendering path.
RecommendationPrefer a pinned package version or vendored/local copy of snapdom, ideally with integrity checking, if reproducibility or supply-chain control is important.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/html2png.js
const browser = await puppeteer.launch({
    headless: 'new',
    args: [
      '--no-sandbox',
      '--disable-setuid-sandbox'
    ]
  });

The script launches a headless browser and disables Chromium sandboxing. Browser rendering is expected for this skill, but disabling sandboxing reduces containment if the rendered HTML or loaded scripts are unsafe.

User impactThe skill runs browser-based rendering locally; while this fits the image-generation purpose, users should avoid converting untrusted or unexpected HTML with this script.
RecommendationUse the skill only on generated or trusted HTML, and consider removing the no-sandbox flags in environments where Chromium sandboxing works.