exam-question-generator
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a coherent local exam-question generator, with purpose-aligned but noteworthy use of knowledge-base context, generated HTML, and CDN-loaded math-rendering scripts.
This skill is reasonable to use if you want local exam-question files generated from your study materials. Before installing or running it, be aware that it may reuse knowledge-base content in the output HTML/JSON, the HTML loads KaTeX from a CDN, and dynamic HTML fields should be escaped before opening or sharing the generated page.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or sensitive study-note content could be incorporated into the generated questions, explanations, or HTML if it is present in the knowledge base.
The skill intentionally retrieves knowledge-base source context for each exam point. This is aligned with generating questions, but retrieved notes can influence the generated output and may be reflected in local files.
Step 4 调用 /knowledge-base 技能(note_retrieve):对每个考点拉取知识库原文上下文
Use this skill only with intended study materials and review generated files before sharing them.
A crafted value in the knowledge map or generated content could alter the generated page, and in unsafe cases could run browser script when the HTML file is opened.
Dynamic question fields are placed into generated HTML. If an implementation does not HTML-escape these values, markup from source data or generated content could render or execute in the browser.
<div class="q-content">{content}</div> ... <div class="explanation">{explanation}</div>Escape or sanitize all dynamic values before writing the HTML file, and open generated pages only from trusted workspaces.
Opening the generated HTML may contact a CDN and depends on that remote script being available and trustworthy.
The generated HTML loads KaTeX resources from jsDelivr. The version is pinned, but the page still depends on third-party remote code when opened.
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.16.9/dist/katex.min.js"></script>
For offline or sensitive use, consider bundling KaTeX locally or adding integrity controls such as SRI.