Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Auto Article Writer
v1.0.0基于AI自动生成符合公众号、知乎、小红书等多平台风格的原创自媒体文章,支持多格式导出与批量生产。
⭐ 1· 51·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose is AI content generation, which reasonably requires an LLM API key (e.g., OpenAI). _meta.json lists requirements:["openai"], but the registry metadata provided to the platform shows no required env vars or primary credential. That inconsistency suggests missing or undeclared credential requirements.
Instruction Scope
SKILL.md contains only high-level command templates (generate article, batch generate, output directory, formats). It does not instruct reading unrelated system files or exfiltrating data, but it does assume writing output files (e.g., ./articles) and is vague about how 'AI 智能生成' and '自动配图建议' are implemented (which external services/endpoints will be called is unspecified). The vagueness gives the skill broad latitude at runtime.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing is downloaded or written by an installer. Instruction-only skills are lower risk in terms of disk writes and arbitrary code execution.
Credentials
Meta declares an 'openai' requirement but the skill does not list or require an OPENAI_API_KEY or similar env var in the registry metadata or SKILL.md. A legitimate AI-generation skill should declare the exact credential(s) it needs. Also the skill could plausibly need platform posting credentials (WeChat, Zhihu) if it added publishing features — none are declared or described.
Persistence & Privilege
The skill is not set to always:true, does not request special platform-wide privileges in the provided files, and does not appear to modify other skills or system settings. Autonomous invocation is allowed by default (not a red flag by itself).
What to consider before installing
Do not install or run this skill until the author clarifies where AI calls run and how credentials are handled. Specifically: 1) Ask the maintainer to declare required env vars (e.g., OPENAI_API_KEY) and the exact endpoint used (OpenAI or another service). 2) Prefer skills that show source code or a homepage/repository so you can review network calls. 3) If you must test, use a sandbox account and a limited-budget API key, and avoid providing high-privilege keys (don’t reuse your primary OpenAI/AWS keys). 4) Confirm whether the skill will ever post to external platforms or upload images, and require explicit opt-in for any publishing. If the author updates metadata to explicitly list credentials, endpoints, and runtime behavior, re-evaluate — that could raise confidence to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk974hwfq0y5211x1056qws46js83sj86
License
MIT-0
Free to use, modify, and redistribute. No attribution required.