Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Info Vivid
v1.0.1信息可视化技能,将结构化数据渲染为深色主题的高质量图表和长图报告。 支持两类输出:第一类是零依赖 SVG/HTML 交互式横向条形图,直接在浏览器打开; 第二类是基于 Pillow 的 PNG 长图报告,含标题区、KPI 卡片、文字段落、表格、 条形图、卡片组、时间线、页脚等模块,适合监控报告、日报、排行榜等场景...
⭐ 0· 214·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (render dark-themed SVG/PNG reports) matches the included scripts and SKILL.md. PNG renderer depends on Pillow (explicitly documented). Font handling and example archive paths are consistent with a report-rendering tool.
Instruction Scope
Runtime instructions only ask the agent/user to provide JSON input and run the included scripts or import the functions. The scripts read input JSON and write image/HTML output; they do not attempt to access network endpoints, read unrelated system files beyond font fallbacks, or request unrelated secrets.
Install Mechanism
No install spec is present (instruction-only install). The only runtime dependency is Pillow for PNG output (documented). No downloads, external installers, or archive extraction steps are used.
Credentials
The skill requires no environment variables, credentials, or config paths. It does reference Windows font paths (C:\Windows\Fonts) to load Chinese fonts, which is reasonable for rendering Chinese text but means it will read those local font files if present.
Persistence & Privilege
always:false and normal model invocation. The skill does not modify other skills or global agent settings. It writes output files (and can archive to a user-specified path), which is expected behavior for a renderer.
Assessment
This skill appears to do what it claims: produce SVG/HTML and Pillow-based PNG long-form reports from JSON. Before installing or running: (1) be aware PNG output requires pip install Pillow; (2) the scripts will read local font files (they try Windows fonts first) and write files to the specified output/archive paths — avoid pointing --archive at sensitive directories; (3) review any JSON input you pass to avoid embedding sensitive data in generated images or saved files; (4) the code contains no network calls or hidden endpoints, but if you plan to run it in an automated agent, ensure the agent's file-write permissions are appropriately scoped.Like a lobster shell, security has layers — review code before you run it.
latestvk970at83ahxfx7w0570t9m7a2982w732
License
MIT-0
Free to use, modify, and redistribute. No attribution required.