ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Generate responsive HTML pages suitable for reporting, supporting resizing and screenshot capture.

v1.0.2

Generates a structured report HTML based on a specific template. Invoke when user wants to create a report, slide, or summary card from raw content.

0· 3.7k·29 current·31 all-time
by@juguangyuan520-dotcom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the visible portion of scripts/generate.py all align: the skill accepts structured JSON, renders an HTML template, and writes output to a workspace path. There are no unrelated declared env vars, binaries, or config paths.
Instruction Scope
SKILL.md instructs the agent to run the script with JSON and then use the browser tool to open file://<html_path> and take a screenshot — that stays within the stated purpose. However, the script's docstring claims it 'converts it to an image' and the script imports subprocess, indicating it may run external commands; the file preview is truncated so it's not possible to confirm whether the script itself shells out, calls remote services, or performs additional file/system access beyond writing the HTML.
Install Mechanism
No install spec; instruction-only with a Python script included. This minimizes install-time risk (nothing is downloaded at install).
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportional to the reported functionality.
Persistence & Privilege
Defaults are used (always: false, model invocation allowed). The skill does not request persistent platform privileges in the metadata.
What to consider before installing
The skill appears to do exactly what it says (generate an HTML report), but two things warrant caution before installing or running it in a production environment: (1) the provided preview of scripts/generate.py is truncated — the ending showing CLI parsing and any subprocess calls is missing, so you cannot fully audit what the script will run on your machine; (2) the script imports subprocess and the docstring mentions image conversion, so it may invoke external commands (e.g., headless browser, imagemagick, or curl) or shell out with user-provided data which could allow command injection or network activity. Before installing or executing: - Request the complete scripts/generate.py and review the remainder of the code for any subprocess.run / os.system / network calls, and confirm they don't pass unsanitized user input into shell commands. - If the script does call external binaries, prefer a sandboxed environment (container or VM) and run with least privilege. - If you plan to provide untrusted content, ensure the script properly sanitizes/escapes content to avoid HTML/JS injection or accidental execution when opened in a browser. - If you cannot obtain and review the full script, treat the skill as untrusted and avoid running it on sensitive hosts or with privileged credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97apsbc6xn4q2j28nfjpgk6y580zrty

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments