Output Forge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Output Forge is a local text-formatting tool whose behavior matches its stated purpose, with a few user-review notes around disclaimer removal, unsanitized generated HTML, and packaging metadata.
This appears safe for local formatting of your own text. Before publishing, review cleaned content for removed caveats and sanitize or inspect generated HTML/LaTeX if the input came from an untrusted source.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Published content may sound more confident or less AI-generated than the original, and may omit useful limitations.
The tool openly advertises removing AI-related disclaimers and caveats. This is purpose-aligned, but those statements can sometimes be important context for readers.
Automatically removes common AI hedging and disclaimers... "I don't have personal opinions, but..." ... Unnecessary disclaimers about training cutoffs ... Your content sounds more natural and confident.
Review output before publishing, especially factual, medical, legal, financial, or transparency-sensitive content; use the no-clean option when disclaimers should remain.
If untrusted text is converted to HTML or LaTeX and then pasted into a sensitive platform, unsafe markup could be carried into that platform.
The artifacts disclose that formatted output can preserve unsafe input content, which matters because the tool is designed to prepare content for platforms like WordPress, email, and social media.
No sanitization for malicious content (e.g., script injection in HTML formats)... Generated HTML/LaTeX/etc. is not sanitized... Do not paste into admin panels without reviewing if input source is untrusted
Only process trusted input, or sanitize and review generated HTML/LaTeX before pasting it into CMS, email, or admin interfaces.
Users may not realize from the install metadata alone that they are expected to run local Python scripts.
The registry/install metadata under-describes the package as instruction-only even though it contains runnable Python code. The code is provided and purpose-aligned, so this is a clarity note rather than a security concern.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: 3 code file(s): output_clean.py, output_forge.py, output_templates.py
Confirm you are comfortable running the included local Python files and have Python available before installing or using the skill.