Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Article Gen Pro
v1.0.0AI-powered tool generating optimized WeChat article titles and content with automatic formatting and SEO suggestions for various styles.
⭐ 0· 21·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and description claim 'AI 大模型' usage, SEO suggestions, and automatic formatting, but the only code (main.py) is a tiny local stub that does not import or call any AI or network libraries. _meta.json lists requirements ['requests','openai'] which are not used by main.py. The install instruction in SKILL.md (clawhub install wechat-article-generator) uses a different slug than the skill's slug (wechat-article-gen-pro). These mismatches indicate the published bundle does not actually implement the claimed AI/network behavior.
Instruction Scope
SKILL.md gives high-level marketing and a single install command but no runtime instructions for API keys, configuration, or data handling. It does not instruct reading system files or exfiltrating data, but it also fails to explain how the advertised 'AI' features are configured (no mention of OPENAI_API_KEY or endpoints). The lack of operational detail is noteworthy.
Install Mechanism
There is no explicit install spec in the bundle (instruction-only), which is lower risk. However, _meta.json declares Python dependencies ('requests', 'openai') while no packaging/install manifest or install script is provided — this mismatch could cause surprises if a package manager later installs those dependencies.
Credentials
The skill declares no required env vars or credentials, yet claims to use an AI model and lists 'openai' in requirements (which normally requires an API key). Either the skill is incomplete (missing the env var requirement) or it will later need a credential not declared here. That gap is disproportionate to the bundle as published and could hide a future need to supply sensitive keys.
Persistence & Privilege
The skill is not flagged as always:true, requests no config paths, and does not attempt to persist or modify system/agent-wide configuration in the provided files. Default autonomous invocation is allowed (platform default) and is not by itself a red flag here.
What to consider before installing
This package is inconsistent: it advertises AI-powered generation but the included code is only a local stub and there are mismatches in metadata and install name. Before installing, ask the publisher for the source repository and a real implementation that shows how/where it calls the AI provider, what environment variables (e.g., OPENAI_API_KEY) it requires, and how payments/licensing are handled. Do not provide API keys until you can inspect code that makes network requests; if the real implementation uses your OpenAI key it can make arbitrary network calls and consume your quota. Prefer installing in an isolated/sandbox environment and verify the actual network behavior (which endpoints are contacted) before using with production credentials or sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk97dhw1a4eyzh3fxhdde9rxyjx845ky4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.