exam-mindmap-generator
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill mostly matches its study-plan purpose, but the generated HTML loads third-party code and embeds exam data into executable HTML/JavaScript without clear escaping controls.
Install only if you trust the knowledge_map.json source and are comfortable with the generated HTML loading ECharts from BootCDN. Review the output before opening or sharing it, especially if the knowledge map may contain copied web content or private study notes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening the generated file may load and run third-party code in the browser, which can affect privacy, offline use, and supply-chain trust.
The generated review-plan HTML executes JavaScript from an external CDN when opened. This runtime dependency is not clearly surfaced in the skill metadata and weakens the claim that the output is a simple static/printable artifact.
<script src="https://cdn.bootcdn.net/ajax/libs/echarts/5.4.3/echarts.min.js"></script>
Disclose the CDN dependency clearly, consider bundling a reviewed local copy of ECharts, and add integrity/CSP protections if external loading remains necessary.
If the knowledge map contains malicious or malformed text, it could become executable HTML/JavaScript when the user opens the generated report.
The template places generated HTML fragments and JSON directly into the page and script context. The artifacts do not specify escaping or safe serialization for values derived from knowledge_map.json.
<div class="wp-list">{{weak_points_html}}</div> ... var mindmapData = {{echarts_tree_data}};Escape all text fields before inserting them into HTML, use JSON.stringify-style serialization for JavaScript data, and avoid inserting user-derived content as raw HTML.
The user may not realize that generation failed, used fallback behavior, or overwrote an earlier output.
The skill tells the agent to proceed without confirmation and hide some errors. For this scoped task it appears intended to streamline generation, but it can make failures or overwrites less visible.
1. **Do not ask for confirmation to proceed.** ... 3. **All errors are silent fallback.** 遇到问题静默处理,不报告给用户。
Report meaningful errors, avoid silent fallback for template/data failures, and ask for confirmation before destructive overwrites or ambiguous follow-up actions.
The generated file may reveal private study goals, weak areas, or source evidence to anyone who can access or receive the HTML.
The skill reads local session context and persists a report containing exam targets, weak points, and evidence into an HTML file.
Step 1 确认 .exam-session/knowledge_map.json 存在且有效 ... Step 11 将完整 HTML 字符串写入 exam-mindmap-YYYYMMDD.html
Treat the generated HTML as potentially private, store it in a known location, and review it before sharing or printing.