Canvas Poster
PassAudited by ClawScan on May 5, 2026.
Overview
The skill appears to be a coherent poster/dashboard image generator, with expected local file output and npm dependency setup that users should review before use.
This skill looks appropriate for generating dashboard/poster PNGs. Before installing, be comfortable with npm downloading the canvas dependency, choose safe output paths, and only upload or share generated images to Feishu after confirming the intended recipients and permissions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may download native canvas packages from a package registry mirror.
The skill depends on @napi-rs/canvas and its native optional packages from an external npm mirror. This is purpose-aligned for server-side canvas rendering and includes integrity metadata, but it is still package supply-chain code that will run locally after installation.
"resolved": "https://registry.npmmirror.com/@napi-rs/canvas/-/canvas-0.1.100.tgz"
Install only in a trusted environment, keep the lockfile intact, and review/update dependencies through normal npm security practices.
A poorly chosen output path could overwrite an existing local file with a generated PNG.
The poster builder can write a generated PNG to a caller-specified path. This is expected for an image generator, but the chosen path controls where local files are created or overwritten.
`output` | string | — | If set, writes PNG to this path
Use explicit, safe output paths such as a temporary or project output directory, and avoid protected or important existing files.
If used with Feishu tools, generated reports could be shared more broadly than intended.
The skill documents an optional workflow to upload generated posters to Feishu Drive and open permissions. No automatic upload code is shown, but dashboards may contain business data, so sharing boundaries matter.
生成 PNG → 上传飞书云盘 → 开权限 → 发链接
Confirm the target workspace, recipients, and permission level before uploading or sharing generated posters.