IQ Skill
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening a generated quiz is expected to run browser JavaScript; unsafe custom content could potentially change what that page does.
The HTML template intentionally runs client-side JavaScript and uses placeholders that will be replaced with generated quiz content. If untrusted custom content is inserted without proper JSON/HTML escaping, the resulting local HTML could run unexpected script.
<h1>{{TEST_TITLE}}</h1> ... <script> const questions = {{QUESTIONS_JSON}};Only embed trusted quiz content, escape titles/questions/options correctly, and review generated HTML before opening or sharing it.
If the agent is asked to save output to the wrong location, it could overwrite a local file.
The script can write generated challenge output to a user-supplied file path. This is purpose-aligned, but the path is not constrained in the visible code.
parser.add_argument("--output", help="Output file path (optional)") ... with open(args.output, "w", encoding="utf-8") as f:Use a dedicated output folder and confirm file paths before saving generated puzzles or quizzes.
Users have less external context for who authored or maintains the skill.
The registry metadata does not provide a source repository or homepage, which limits provenance assurance. The artifacts themselves do not show remote install scripts, unpinned packages, or hidden dependencies.
Source: unknown; Homepage: none
Prefer skills with clear provenance when possible, or inspect the included files before relying on them.