Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xhs Html Creator
v1.0.3小红书图文创作技能。触发条件:用户说"生成图文"、"创作内容"、"做图文矩阵"、"生成XX的图文"时使用。功能:读取素材库 → 生成7张竖屏小红书图文 → AI专家两轮review迭代 → 用户最终确认交付。
⭐ 0· 88·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to only read a local素材库 and generate HTML/screenshots, which matches the templates and output files. However it also references integrations (xhs-material-collector, Feishu image sender) and includes many Python scripts (screenshot/send_images and template renderers). Yet the registry metadata lists no required env vars, no required binaries, and no install spec — which is inconsistent with needing Playwright, HTTP server, and API credentials to post images. Several files suggest external network activity (sending images), so the declared requirements are incomplete/unjustified.
Instruction Scope
SKILL.md instructs starting an HTTP service, running Playwright to screenshot, sending images to AI experts and to Feishu, cleaning files, and reading old HTML paths. The included screenshot example contradicts its own rule: it says 'prohibit hardcoding user directory' but the provided screenshot.py snippet hardcodes WORKSPACE = Path(r'C:\Users\95116\.openclaw\workspace'), which would access a specific user's filesystem. Instructions permit reading old HTML file paths supplied by users and call other components (xhs-material-collector) — these behaviors broaden the scope and could access arbitrary workspace files or external services without declared safeguards.
Install Mechanism
There is no install spec even though the skill ships dozens of Python files that clearly rely on Playwright and likely other Python packages and fonts. The lack of an install mechanism or declared dependencies means required packages may be missing or the skill will attempt to run arbitrary Python code without clearly declared provenance or setup steps. This mismatch increases operational risk.
Credentials
The SKILL.md refers to sending images to Feishu (feishu_image.py / feishu integration) and calling xhs-material-collector, which typically require API tokens/credentials, but the skill declares no required environment variables or primary credential. That omission is suspicious: either credentials are expected but undeclared, or the code will attempt to use hardcoded tokens/endpoints (not shown) or fail. The hardcoded WORKSPACE path is another environment-related mismatch.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not declare system-wide config changes. Iteration rules indicate deletion of older files in the skill's output directory (file cleanup), which is normal for a content generator but be aware it will delete older output/versions under its output/ path.
Scan Findings in Context
[unicode-control-chars] unexpected: A prompt-injection pattern (unicode control characters) was detected in SKILL.md. This suggests the skill's instructions may contain crafted content intended to influence model behavior or evaluation. It is not expected for a straight HTML/template generator and should be inspected.
What to consider before installing
Do not install blindly. The skill includes runnable Python scripts (Playwright screenshots, send_images) but declares no install or dependency list and no credentials even though it mentions posting to Feishu and calling another collector skill. Before using: 1) ask the author to document required packages (e.g., playwright), precise endpoints, and required env vars (Feishu tokens, any API keys); 2) inspect send_images/screenshot scripts for any hardcoded endpoints, embedded tokens, or unexpected network calls; 3) fix the hardcoded WORKSPACE path to a safe relative path or env var (the SKILL.md itself forbids hardcoding but the example still does it); 4) run the skill in a restricted/sandboxed workspace first (no access to your real home directory) and monitor outbound network requests; and 5) require the publisher to add an explicit install spec and to declare the exact permissions/credentials needed before granting access to sensitive environment or tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk977zqkz91ttw4ct96t9k0wazx84j5fz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.