Blog Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s main purpose is clear, but it reads private OpenClaw journals and can automatically pass generated content through unbundled helper tools/API paths, so it deserves careful review before use.
Install only if you are comfortable with the skill reading your OpenClaw journal files. Consider running it manually first with `--no-humanize`, review the generated HTML before publishing, and avoid enabling the cron job or external humanizer until you verify the helper code and understand any API data sharing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may run unreviewed local helper code that can see generated article text and may use an API key.
The skill depends on helper code outside the supplied package, including a Downloads path and another skill directory, but those helpers are not included, pinned, or declared in the install requirements.
Each article’s body is sent through `/Users/ghost/Downloads/humanizer-1.0.0` (requires `OPENROUTER_API_KEY`) ... Header: From visual-explainer only. Default path: `/Users/ghost/.openclaw/workspace/skills/visual-explainer-main`.
Make external helpers explicit, pinned, and opt-in; declare the OpenRouter/API dependency and document exactly what data is sent.
Running the blog generator can also execute an external local tool and pass it journal-derived content.
By default, if the external humanizer path exists, the script calls it on the generated body text rather than requiring explicit opt-in for that run.
default_humanizer = Path("/Users/ghost/Downloads/humanizer-1.0.0") ... if not getattr(args, "no_humanize", False) and humanizer_path.exists(): ... humanized = generator.run_humanizer(body_text, humanizer_path)Default to no external helper execution unless the user explicitly enables it for that run, and prefer reviewed bundled code over arbitrary local paths.
Private journal or chat-analysis details could be reflected in generated blog drafts, and poisoned or misleading journal content could influence the output.
The skill reads persistent OpenClaw journal markdown files and turns extracted content into blog topics.
self.journal_dir = openclaw_home / "journal" ... for journal_file in self.journal_dir.rglob("*.md"): ... content = journal_file.read_text()Review generated posts before sharing them, limit the analyzed date range, and avoid storing secrets or private material in journals used for blog generation.
Using the default humanizer may consume API quota and expose generated article text to the model provider used by that helper.
The skill may rely on an OpenRouter credential through its humanizer workflow, but registry metadata declares no required environment variables.
Humanizer: Runs **between generations** by default ... (requires `OPENROUTER_API_KEY`)
Use a least-privilege API key if available, understand the provider’s data policy, and use `--no-humanize` when external model processing is not desired.
If enabled, the skill can keep generating blog drafts from recent journals on a schedule.
The skill documents recurring automated execution, but the cron job appears user-configured rather than installed silently.
This skill is designed to run periodically (daily or weekly) via OpenClaw cron to automatically generate blog content.
Only enable the cron job if you are comfortable with ongoing automated processing, and periodically review generated files.