摸鱼日报和百度热搜等图片生成,持续升级中
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal poster generator, with expected but noticeable use of third-party data, local image conversion tools, and user-selected file or URL inputs.
Before installing, be aware that the skill may contact XXApi for hot-search data, may load local or remote image assets you specify, and may use local converter tools for PNG/JPG/WEBP export. Use trusted dependencies, choose output paths carefully, and avoid supplying private files or sensitive URLs unless you intend them to appear in the generated poster.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generating hot-search posters may make a network request to a third-party API provider.
The Baidu hot-search poster uses an external HTTP API to retrieve public ranking data, which is expected for this feature but means the skill can contact a third-party service.
from urllib.request import Request, urlopen ... BAIDU_API_URL = "https://v2.xxapi.cn/api/baiduhot"
Use the skill only where external public-data requests are acceptable, and avoid placing sensitive information in URLs or inputs used for remote fetching.
A poster can embed content from local image files or remote URLs, so unintended paths or private URLs could be included in generated output.
The daily poster renderer can load image assets from remote URLs or local file paths supplied through the poster spec; this fits poster generation but can include whatever file or URL the user chooses.
if source.startswith(("http://", "https://")): return fetch_binary_payload(source) ... return (mime or "image/png", path.read_bytes())Only provide image paths and URLs that you intentionally want included in the poster output.
Exporting non-SVG formats may run installed local image conversion tools.
Optional PNG/JPG/WEBP export can invoke local converter binaries such as ImageMagick, Inkscape, rsvg-convert, or resvg; this is central to image conversion and is not hidden.
executable = shutil.which("magick") ... _run_command(command, ...)Install converter tools from trusted sources and review output paths before running exports.
Installing dependencies may pull current package versions from the package index rather than a fully locked set.
The Python dependencies are declared with minimum versions rather than exact pins or hashes; this is common but gives the package installer flexibility to select newer releases.
resvg_py>=0.2.6 Pillow>=10.0.0
Install in a controlled Python environment and pin or review dependency versions if reproducibility is important.