Generate clean table images from data. Perfect for Discord/Telegram where ASCII tables look broken. Supports dark/light mode, custom styling, and auto-sizing...
Security Analysis
medium confidenceThe skill appears to do what it says — generate table images with optional emoji and a Discord wrapper — but it makes a few odd defaults (absolute local avatar path) and performs benign network fetches for emoji SVGs that you should be aware of.
Name/description match the code and usage. The scripts implement table image generation, emoji handling, and an optional Discord-style wrapper. The SKILL.md and README describe the same functionality; dependency on Sharp is appropriate for image processing. Minor version string mismatch between SKILL.md (1.3.1) and registry metadata (1.4.0) is present but not indicative of malicious intent.
Runtime instructions are focused on generating table images and recommend using --data-file/stdin. The code will read any file path given via --data-file and will write outputs and a local emoji cache in the skill directory. emoji.mjs performs outbound HTTPS requests to a Twemoji CDN to fetch SVGs when emoji are present (expected for emoji rendering). The discord wrapper script has a hard-coded default avatar path (/data/clawd/2026-01-29-cluka-avatar-v2.png) which will be read if the wrapper is invoked without overriding --avatar; this absolute default is unexpected and should be checked before using the wrapper in automated contexts.
There is no platform install spec; SKILL.md instructs running npm install in the scripts folder which will install the single declared dependency (sharp). No downloads from unknown/personal servers are present in the package itself. The only external network fetch performed at runtime is to a public Twemoji CDN (jsdelivr) to retrieve emoji SVGs — an expected, traceable CDN host.
The skill requests no environment variables or credentials. It reads and writes files only where specified by CLI options (output, --data-file) or its local cache directory. The ability to read any path supplied to --data-file is normal for a CLI tool but means that providing arbitrary paths could expose readable JSON files on the host; this is behavioral (not a hidden credential request).
always is false and the skill does not modify other skills or global agent settings. It writes a local .emoji-cache under the script directory and creates output files where requested; tests write to /tmp. No elevated or permanent privileges requested.
Guidance
This skill appears to be what it claims: a Node.js tool that renders table PNGs and optionally wraps them in a Discord-style frame. Before installing/using it, consider the following: - Network access: emoji support will make HTTPS requests to the Twemoji CDN (jsdelivr) at runtime to fetch SVGs; these are cached under the skill directory. If you need offline or air-gapped operation, disable emoji or prepopulate the cache. - Local file reads: the tool will read whatever file path you pass to --data-file and will attempt JSON.parse on its contents. Only pass paths you trust; do not point it at sensitive files unless they contain valid JSON and you intend to expose them. - Discord wrapper default: scripts/discord-wrap.mjs has a hard-coded default avatar path (/data/clawd/2026-01-29-cluka-avatar-v2.png). If you run the wrapper without specifying --avatar, it may attempt to read that absolute path — verify or override the avatar argument to avoid unexpected file reads. - Native dependency: sharp is a native module; npm install will fetch/build native binaries. Review build logs and run in a sandboxed environment if you are concerned about installing native deps on production systems. If you want higher assurance, run the scripts in a sandbox or container, review the included code (emoji.mjs, table.mjs, discord-wrap.mjs), and verify the behavior you expect (e.g., disable emoji fetching) before granting any automated agent permission to invoke the skill autonomously.
Latest Release
v1.4.0
- Bumped version to 1.4.0. - Updated scripts/table.mjs.
More by @dannyshmueli
Published by @dannyshmueli on ClawHub
