Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
短视频发布策略生成器
v1.0.0根据IP背景和视频文案,为短视频生成一套完整的发布策略,包括发布时间、话题标签、封面文案和发布标题,并能将文案合成为封面图。
⭐ 0· 67·0 current·0 all-time
byan@ahsbnb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description (generate publishing strategy and compose cover images) matches the included prompts and image-generation script. However, the image script initializes an OpenAI client and retrieves an API key via get_config_value('qdd') even though the skill metadata declares no credentials or environment variables. Requesting an API key (or platform config) is expected for image generation, but it should be declared explicitly. This mismatch is incoherent.
Instruction Scope
SKILL.md instructs reading local prompt files and running the provided Python script for cover generation (expected). However, the PowerShell example uses hard-coded absolute paths and a Windows-specific Python path, which is brittle. More importantly, the generate_cover_image.py will call an external image-generation API and writes the full API response to api_response_content.log; that log may contain sensitive data. The first-step guidance forbids executing external scripts, yet run.py constructs a sessions_spawn call which implies spawning a sub-agent — the division of responsibilities is somewhat ambiguous.
Install Mechanism
There is no install spec (instruction-only plus included scripts). No external installers or downloads are invoked by the package metadata itself, which keeps install risk low. The included Python scripts will be executed if the user runs them, but nothing in the registry installation writes or executes arbitrary external code automatically.
Credentials
The code attempts to obtain an API key via get_config_value('qdd') and also requires a --base-url and --model when running the script, but the skill metadata declares no required env vars or primary credential. That is a clear mismatch: the runtime needs credentials/config but the skill does not declare them. Additionally, the script logs full API responses to disk, which increases the chance of exposing secrets or confidential content. This is disproportionate to the high-level purpose unless the author explicitly requests and documents the needed credential(s).
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes output files and an api_response_content.log in its working directory (normal for debugging but could persist sensitive responses). run.py builds a sessions_spawn call (to spawn a sub-agent) — spawning sub-agents is an expected pattern here but grants more autonomous actions; combine that with the undeclared credential access for higher risk.
What to consider before installing
This skill appears to implement the advertised features, but the code expects an API key/config (get_config_value('qdd')) and uses an external image-generation API while the skill metadata declares no required credentials — that's inconsistent. Before installing or running: (1) ask the author to declare exactly which credentials or config keys are needed and why (e.g., OPENAI_API_KEY or a platform-specific key), (2) inspect or replace the undefined get_config_value function to ensure it does not fetch secrets from unexpected places, (3) be aware the script writes full API responses to api_response_content.log (remove or sanitize this logging if you care about confidentiality), (4) run the scripts in an isolated environment (no sensitive credentials) first to observe behavior, and (5) request cross-platform path fixes (avoid hard-coded Windows paths) and clearer instructions about when the agent should spawn sub-agents. If you cannot get satisfactory answers from the author, treat the skill as potentially risky and avoid providing platform-wide secrets to it.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5m43mz1wdwmrxfbrmqnaan83njhn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.