自媒体文案生成器
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the skill can see or reuse the provider key, and LLM calls may run under an unknown account with possible billing, logging, or access implications.
The source embeds a Dashscope-style bearer token directly in code instead of using a declared user-supplied credential.
api_key = "sk-sp-..." ... 'Authorization': f'Bearer {api_key}'Remove the hard-coded key, rotate it, require a user-provided environment variable such as DASHSCOPE_API_KEY, and declare that credential in metadata.
User topics, keywords, and audience details could leave the local environment for an external LLM service without a clear install-time disclosure.
If the LLM path is enabled, the skill sends system and user prompt content to Dashscope, but the registry lists no credential or external provider requirement.
url = "https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions" ... "messages": [{"role": "system", "content": system}, {"role": "user", "content": user}]Clearly document the provider data flow, make external LLM use explicit and opt-in, and avoid sending sensitive business or personal details unless the user consents.