briefing-visualizer简报转手机长图
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user processes arbitrary or malicious HTML, that page may run in a less-isolated browser process during screenshot generation.
The script launches a local Chrome process to render a file:// HTML page. This is central to the screenshot purpose, but disabling the browser sandbox reduces isolation if the HTML contains untrusted script content.
"--headless", "--disable-gpu", "--no-sandbox", ... "file://" + os.path.abspath(html_path),
Use trusted or sanitized HTML, escape user/fetched text before inserting it into templates, and consider removing --no-sandbox unless it is strictly required in the target environment.
The skill may fail until local dependencies are installed, and users may need to obtain those dependencies outside the declared install flow.
The script requires Pillow/PIL and a local Chrome or Chromium installation, while the provided registry metadata declares no required binaries and there is no install spec.
from PIL import Image ... raise FileNotFoundError("未找到 Chrome,请安装 Google Chrome 或配置 CHROME 路径")Declare Chrome/Chromium and Pillow requirements clearly, and install any missing dependencies only from trusted sources.