Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blog Generator

v1.0.0

Analyzes journal entries and chat history to identify high-value topics and automatically generate blog posts.

⭐ 0· 401·3 current·3 all-time

by@austindixson

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The name/description (generate blog posts from journal/chat history) matches the included scripts which scan ~/.openclaw/journal and write to ~/.openclaw/blogs, so core capabilities align. However the SKILL.md and scripts reference an external 'humanizer' that requires OPENROUTER_API_KEY and a visual-explainer header generator (scripts/generate_header.py) that is not present in the manifest — those external integrations are not declared in metadata (no required env vars), which is inconsistent with the skill's stated, local-only purpose.

Instruction Scope

Runtime instructions and scripts instruct the agent to read a user's journal directory, scan many markdown files, and save HTML to a hardcoded user path (/Users/ghost/.openclaw/...). The SKILL.md also suggests running a humanizer between generations and pulling a header from a separate skill path; both could cause content to be sent outside the machine depending on implementation. The SKILL.md grants broad discretion (cron, scheduled autonomous runs) and references external models/APIs in examples (openrouter/google/gemini-2.5-flash) not declared in requirements.

✓

Install Mechanism

No install spec is provided (instruction-only + included scripts). No network download/install steps are present in the manifest. That limits risk from arbitrary installers. The code does import subprocess and likely invokes local binaries (humanizer, generate_header) — this is expected but those binaries aren't included here.

Credentials

The skill metadata declares no required environment variables, yet SKILL.md and code mention OPENROUTER_API_KEY (for the humanizer) and show example cron payloads using an OpenRouter model. Requiring an API key to call an external service is reasonable only if declared; here the omission is a mismatch. Asking for an API key that would enable sending journal content externally is disproportionate unless explicitly stated and justified.

ℹ

Persistence & Privilege

always:false (no forced inclusion) and default autonomous invocation are normal. The skill writes files into the user's ~/.openclaw/blogs directory (expected for a blog generator). It does not request system-wide privileges or modify other skills' configs in the provided files. Still, scheduling it as a cron job (recommended in SKILL.md) increases exposure if the humanizer or other integrations transmit data externally.

What to consider before installing

This skill will read your OpenClaw journal files and write generated blog HTML into ~/.openclaw/blogs; that behavior is consistent with its purpose. However: (1) SKILL.md and the scripts reference a 'humanizer' that requires OPENROUTER_API_KEY and call an external model in examples — the skill metadata does not declare any required credentials. If the humanizer or model send data to external services, your private journal content could be transmitted. (2) Several paths are hardcoded to /Users/ghost and a referenced generate_header.py (visual-explainer) is not included — you should update paths before running. (3) README and SKILL.md disagree about output format (.md vs .html). Recommended steps before installing or scheduling: inspect the rest of scripts/blog_generator.py (the file was truncated in the package you received) and specifically find implementations of run_humanizer and generate_header to see whether they perform network calls or subprocess spawns; run the skill locally with --no-humanize to avoid external calls; do not set or export OPENROUTER_API_KEY unless you have reviewed and accept where data will be sent; test the scripts in a sandboxed account or VM; and confirm or replace hardcoded /Users/ghost paths with your own home directory. If you need, ask the author for a manifest update that declares required environment variables and the external components the skill depends on.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bhswqcrqkgan259wr7k15f581xdeq

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Blog Generator

License

Comments