ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

z-card-image

v1.1.0

生成配图、封面图、卡片图、文字海报、公众号文章封面图、微信公众号头图、X 风格帖子分享图、帖子长图、社媒帖子长图。适用于帖子类型数据、post data、social posts、tweet/thread、转发推文、转发帖子、小绿书配图、图片封面、card image。

1· 811·4 current·4 all-time
byJinx@aatrooox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, declared binaries (python3, google-chrome), templates, and scripts all align: the code builds HTML from templates and uses headless Chrome (and ffmpeg for wechat-cover-split) to create PNGs. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructions map directly to the scripts' behavior: detecting environment binaries, choosing templates, applying highlights, and calling the renderer. The runtime instructions do not instruct reading arbitrary system config, contacting external endpoints, or exfiltrating data. The scripts do run subprocesses (Chrome, optional ffmpeg) to render screenshots, which is expected for this function.
Install Mechanism
This is an instruction-and-script-only skill with no install spec. No remote downloads or package installs are performed automatically by the skill bundle itself.
Credentials
No environment variables or credentials are required. Minor oddity: several files/reference docs (and render_card.py) contain a hard-coded absolute default icon path (/Users/aatrox/.openclaw/agents/zoe/...), which is a developer-specific workspace path — not a credential but may not exist on other users' systems and could cause missing-icon behavior. The scripts also reference local asset paths for fonts and avatars; these are normal for rendering but worth noting.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It writes temporary HTML files and output PNGs to the provided output paths; this is expected behavior for a renderer.
Assessment
This skill appears to do exactly what it says: render templates into PNGs using Python and headless Chrome (ffmpeg only for the wechat-cover-split template). Before installing or running: 1) ensure python3 and Chrome/Chromium are available and that you are comfortable the agent can run headless Chrome and (optionally) ffmpeg; 2) be aware the code executes subprocesses (chrome and ffmpeg) and creates temporary HTML files — run it in an environment where executing those binaries is acceptable; 3) note the developer-default absolute icon path (/Users/aatrox/...) may not exist on your machine—if missing, specify --icon or update the template paths; 4) no secrets or network calls are requested by the skill, but you should still review the templates/assets if you plan to render sensitive content. If you want extra assurance, run the scripts locally with safe sample input to confirm behavior before granting agent-level use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ce8mr4vb6ey1hcv8vv4d2982rdq0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, google-chrome

Comments