Back to skill
Skillv1.0.1
ClawScan security
Info Vivid · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 4:11 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose (generating SVG/HTML charts and Pillow-based PNG reports); it asks for no credentials or unusual installs and contains no obvious exfiltration or hidden endpoints.
- Guidance
- This skill appears to do what it claims: produce SVG/HTML and Pillow-based PNG long-form reports from JSON. Before installing or running: (1) be aware PNG output requires pip install Pillow; (2) the scripts will read local font files (they try Windows fonts first) and write files to the specified output/archive paths — avoid pointing --archive at sensitive directories; (3) review any JSON input you pass to avoid embedding sensitive data in generated images or saved files; (4) the code contains no network calls or hidden endpoints, but if you plan to run it in an automated agent, ensure the agent's file-write permissions are appropriately scoped.
Review Dimensions
- Purpose & Capability
- okName/description (render dark-themed SVG/PNG reports) matches the included scripts and SKILL.md. PNG renderer depends on Pillow (explicitly documented). Font handling and example archive paths are consistent with a report-rendering tool.
- Instruction Scope
- okRuntime instructions only ask the agent/user to provide JSON input and run the included scripts or import the functions. The scripts read input JSON and write image/HTML output; they do not attempt to access network endpoints, read unrelated system files beyond font fallbacks, or request unrelated secrets.
- Install Mechanism
- okNo install spec is present (instruction-only install). The only runtime dependency is Pillow for PNG output (documented). No downloads, external installers, or archive extraction steps are used.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. It does reference Windows font paths (C:\Windows\Fonts) to load Chinese fonts, which is reasonable for rendering Chinese text but means it will read those local font files if present.
- Persistence & Privilege
- okalways:false and normal model invocation. The skill does not modify other skills or global agent settings. It writes output files (and can archive to a user-specified path), which is expected behavior for a renderer.