ClawHub
Back to skill
v1.0.0

xhs-auto-content-by-hot

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:47 AM.

Analysis

The skill’s content-generation workflow is mostly coherent, but it asks to store a user API key directly in the script, which should be reviewed before installation.

GuidanceReview this skill before installing. Its main workflow is understandable, but do not paste an API key into the script as instructed; configure the key through a secure environment variable or secret store, and rotate any key that has already been saved in generate.py.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/generate.py
requests.get(url, headers=headers, timeout=10) ... requests.post(API_URL, json=payload, headers=headers, timeout=60) ... with open(image_path, "wb") as f:

The script performs network calls to fetch hot topics and call the image-generation API, then downloads and writes generated images locally. These actions are disclosed and aligned with the skill purpose.

User impactRunning the skill sends selected topics/prompts to external services and saves generated content to disk; image generation may consume provider quota or incur costs.
RecommendationRun it only when you intend to use those external services, review the selected topic/prompt if needed, and choose an output directory you are comfortable writing to.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata / SKILL.md / scripts/generate.py
Required binaries (all must exist): none ... python3 {baseDir}/scripts/generate.py ... import requests

The registry metadata declares no runtime requirements, while the skill documentation requires running Python and the code depends on the requests package.

User impactThe runtime environment is under-specified, which can cause setup confusion or ad hoc dependency installation.
RecommendationDeclare Python and the requests dependency explicitly, ideally with version constraints or a lockfile, so users know exactly what is needed.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
先询问使用者的字节跳动生图模型的 API Key 是什么,得到回复后,把它存入 generate.py 的 API_KEY 里面备用

The skill explicitly asks the agent to collect a provider API key and persist it in the script rather than using a declared credential, environment variable, or secret store.

User impactYour image-generation API key could remain in a local source file and be reused or exposed to anyone or any later process that can read the skill files.
RecommendationDo not store the API key in generate.py. Use a declared environment variable or secret manager, scope the key to the image API, and rotate the key if it has already been written into the script.