Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
内容创业凭证管理器
v1.0.0内容创业凭证管理器。追踪和管理已安装技能的 API 凭证配置状态,引导用户逐步完成每个平台的凭证配置,让内容创作技能从"装好了"到"真正可用"。触发场景:(1) 用户问"哪些技能可以用了"、"凭证配置好了吗";(2) 开始内容创作前检查环境;(3) 新技能安装后登记凭证状态;(4) 排查"为什么XX技能不能用"。
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the code: scripts read/write a local ~/.openclaw/credentials.json and report which platform fields are present. No unrelated credentials, binaries, or network calls are requested by the code. This is coherent with a credential manager.
Instruction Scope
SKILL.md instructs users to provide full API keys and browser cookies via conversation (e.g., 'tell me the cookie string' or 'Tavily API Key is tvly-xxxxx') and promises to write them to disk. That creates risk: sensitive secrets may be transmitted in chat and could be exfiltrated by an agent or logged. SKILL.md also references several verification scripts (verify_wechat.py, verify_meitu.py, verify_xhs.py, and step-tts scripts) that are not present in the file manifest, which is an inconsistency that will confuse users and may cause failed verification steps.
Install Mechanism
Instruction-only skill with no install spec and only two small helper scripts; lowest install risk. No downloads, package installs, or archives are used.
Credentials
The skill requests no environment variables or external credentials in metadata; it stores credentials locally in ~/.openclaw/credentials.json which is proportionate to its stated purpose. The code masks values when printing, and sets os.umask(0o077) before writing to attempt restrictive permissions (though users should verify resulting file permissions).
Persistence & Privilege
always:false (no forced presence) and the skill does not modify other skills or system settings. It only reads/writes its own credentials file under the user's home directory.
What to consider before installing
This skill is generally coherent with its purpose (tracking and writing local credentials), but exercise caution before pasting secrets into chat. Prefer running the included set_credential.py locally in your shell (python3 skills/content-credential-manager/scripts/set_credential.py ...) rather than telling the agent the full API key or browser cookie via conversation. Verify the file ~/.openclaw/credentials.json permissions after saving (should be readable only by you). Note that SKILL.md references verification scripts (verify_wechat.py, verify_meitu.py, verify_xhs.py) that are not included — expect verification steps to be incomplete unless the skill is updated. If you must use the agent to provide secrets, confirm the agent will not send them to external endpoints and consider redacting or using short-lived keys where possible.Like a lobster shell, security has layers — review code before you run it.
automationvk974g4ww682gz2mersfnf275en84pdjdcontent-creationvk974g4ww682gz2mersfnf275en84pdjdcredentialsvk974g4ww682gz2mersfnf275en84pdjdlatestvk974g4ww682gz2mersfnf275en84pdjd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.