cpn_modeling_tool
PassAudited by ClawScan on May 13, 2026.
Overview
This skill is a coherent CPN/business-process modeling helper; the main thing to notice is that it writes a generated local HTML visualization file that runs JavaScript in the browser.
This appears safe for its stated purpose. Before installing, be aware that it can generate a temporary local HTML visualization under /tmp and that the file contains JavaScript animation code that runs when opened in a browser.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create a local HTML file on your machine for the visualization.
The skill explicitly directs the agent to use a file-writing tool to create a local HTML visualization. This is aligned with the stated visualization purpose and scoped to /tmp, but users should know a file will be created.
使用 Write 工具直接写入文件,**不要**把 HTML 内容输出到对话中 - 写入路径:`/tmp/<project_id>.html`
Use simple safe project IDs, avoid path-like names, and delete the generated /tmp HTML file when you no longer need it.
When you open the generated HTML file, your browser runs the visualization script locally.
The generated visualization is an HTML page with JavaScript for animation and controls. This is expected for the feature and no external network behavior is shown in the provided visible template, but opening the file will run local browser JavaScript.
const data = __CPN_DATA__; ... <button id="btn-auto" onclick="toggleAuto()">▶ 自动运行</button>
Open the generated HTML only when you intended to create the visualization; inspect the file first if the model content came from untrusted input.