Info Vivid
ReviewAudited by ClawScan on May 10, 2026.
Overview
Info Vivid appears to be a normal local chart/report renderer, but its HTML/SVG chart output embeds input text without escaping, so untrusted data could inject unwanted browser code.
Install only if you are comfortable using it with trusted or sanitized chart data. The PNG renderer looks purpose-aligned, but for HTML/SVG charts you should avoid feeding untrusted strings until the skill escapes input safely; also avoid the archive option for sensitive reports unless you want a persistent copy.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the chart data comes from an untrusted source, malicious text could break out of the SVG/HTML and run script or display deceptive content when the user opens or shares the chart.
Values derived from the input JSON are inserted directly into SVG/HTML text and title contexts without escaping; the generated HTML is intended to be opened in a browser.
label = item.get("label", "") ... rows_svg.append(f""" ... >{i+1:02d}. {label}</text> ... <title>{tooltip}</title> ...>{tag}</text>""")Escape all HTML/XML text and attribute values, validate color/theme fields, and warn users to use trusted data until the renderer is hardened.
Using the PNG feature may require installing a Python package from the package ecosystem.
The PNG report feature depends on installing the external Pillow package; this is disclosed and expected for image rendering.
| `png_longform.py` | PNG 长图 | 日报/周报、监控报告、综合信息图 | `pip install Pillow` |
Install Pillow from a trusted package index or controlled environment, and pin a version if reproducibility matters.
Reports containing sensitive or temporary data may remain available after the task and could be picked up by other local workflows if that directory is indexed.
The documented archive option can copy generated reports into a persistent .ai-memory-style directory.
python scripts/png_longform.py --input report.json --output report.png --archive "C:/Users/user/.ai-memory/news"
Use the archive option only for reports meant to be retained, and avoid archiving sensitive content unless retention is intended.