SQL Report Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its report-generation purpose, but its HTML report code appears to insert generated report text without escaping, which could make reports unsafe if source data contains malicious HTML or scripts.
Use this skill only with trusted or sanitized SQL/data inputs, especially when exporting HTML reports. Install its Python dependencies in an isolated environment, review generated reports before sharing, and remember that exported reports may contain sensitive business data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A report generated from untrusted or contaminated data could run unwanted JavaScript in the viewer’s browser.
The HTML renderer inserts dynamic Insight fields directly into HTML with no visible escaping or sanitization. Because the skill generates insights from DataFrame/SQL report data, malicious source strings could become executable markup when a user opens or shares the generated report.
html_parts.append(f"{insight.title}") ... html_parts.append(f"<div class='meta-item'><span class='meta-label'>指标:</span> {insight.metric}</div>") ... html_parts.append(f"<div class='insight-description'>{insight.description}</div>")Escape all dynamic HTML fields, use a templating engine with auto-escaping, sanitize database text before report generation, and consider a restrictive Content Security Policy for generated HTML.
Installing dependencies changes the local Python environment and relies on package sources available at install time.
The skill requires dependency installation even though the registry install section says there is no install spec. Installing Python packages is expected for this reporting tool, but users should notice the extra setup and dependency provenance.
首次使用前必须安装依赖:`skillhub_install install_skill sql-report-generator` ... 手动安装 | `pip install -r requirements.txt`
Install in a virtual environment, review requirements.txt, and prefer pinned or internally mirrored dependencies for production use.
Readers may not realize that some report conclusions are produced automatically rather than written by a human analyst.
The skill directs the agent to avoid AI wording in outputs. This is not necessarily malicious because the module is described as statistical and not using an external AI API, but users should understand that recommendations are automatically generated.
输出时不要使用"AI洞察"、"AI分析"等词汇 ... 应使用"洞察分析"、"统计分析"等中性表述
Clearly disclose the analysis method, such as “automated statistical analysis,” especially for reports used in business decisions.