ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

design-ads 海报制作

v1.0.0

AI 知识类海报/封面图设计生成器。根据用户提供的主题内容,自动生成 1200x1800 像素的竖版海报图片, 风格统一为深色科技感设计(暗黑背景 + 渐变强调色 + 思源宋体标题 + 思源黑体正文)。 支持 6 种模板布局:3 种封面样式(居中图标型、特性网格型、列表展示型)和 3 种内页样式(工具详情型、提示...

1· 74·0 current·0 all-time
by@bozoyan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (poster/cover generator) aligns with the included scripts (render.js, puppeteer renderers), design-system reference, and Puppeteer dependency — these are expected for rendering 1200x1800 PNGs from HTML.
Instruction Scope
SKILL.md instructs the agent to generate HTML, save to /tmp/design-ads-output.html, then run the bundled render script which loads the local HTML via file://, screenshots using Puppeteer/Selenium, and presents the PNG. The runtime will read the local references/design-system.md and write files to /tmp and the user's Downloads folder. This file I/O is consistent with the skill purpose but users should expect local file creation and directory enumeration of ~/Downloads.
Install Mechanism
There is no separate download-from-URL installer; package.json lists Puppeteer (a standard npm dependency) and code is included in the bundle. No external or shortener URLs or extract-from-untrusted-archive behavior was found.
Credentials
The skill requires no environment variables or credentials. It does access the filesystem (home and Downloads directories) to create timestamped output folders and to copy generated files, which is proportionate to delivering output but worth noting to users who may not want files written or directories enumerated.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges or modify other skills. It only writes its own output files to /tmp and ~/Downloads and does not alter agent configuration.
Assessment
What to consider before installing: - The skill is coherent: it generates HTML per the included design spec and uses Puppeteer/Selenium to render PNGs. No secrets or network exfiltration were found. - It will run local code (Node scripts and optional Python Selenium) and requires Node.js >= 18 and a Chrome/Chromium binary. Installing Puppeteer/npm deps may download a large Chromium binary if system Chrome is not used. - The render script will create files in /tmp and copy the HTML + PNG outputs into a timestamped folder under your Downloads directory and will enumerate folders there (to find recent design-ads_* dirs). If you do not want local files written or directory reads, do not install or run the skill. - The script launches Chrome with flags like --no-sandbox (common for headless runs) and sets an executablePath hardcoded to a macOS Chrome path; on non-macOS systems you may need to adjust configuration or ensure a Chromium binary is available. - As with any code from an unknown source, review the bundled scripts before executing and run in a controlled environment if you have concerns (e.g., sandboxed VM or container). If you need additional assurance, ask the publisher for provenance or sign-off, or request a version that omits automatic copying to ~/Downloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk9778ypj2pgf09memzw3a6kvf1846x9p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments