ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub to RedNote

v1.6.0

Convert GitHub repositories into RedNote (小红书) style technical articles. Use when user wants to generate tech promotion content from GitHub repos - including...

0· 111·0 current·0 all-time
by@caoyachao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and manifest show a coherent purpose: fetch GitHub repo data, use the OpenClaw built-in agent to generate content, and optionally render cover images. However the top-level registry metadata (in the evaluation header) claimed 'Required env vars: none / Primary credential: none' while manifest.yaml and README explicitly require GITHUB_TOKEN and the code (github_api.py) enforces it. This mismatch between declared requirements and actual requirements is incoherent and could mislead users.
!
Instruction Scope
SKILL.md and scripts instruct the agent to fetch repo data via the GitHub API, call an OpenClaw agent client, format text, and generate images. These actions are consistent with the described purpose. However the SKILL.md was flagged by the pre-scan for 'system-prompt-override' and 'unicode-control-chars' (prompt-injection patterns). That indicates the runtime instructions may contain hidden or manipulative content that could try to alter the agent's system prompt or behavior — this is outside the expected scope for a content-generator skill and is a red flag that should be investigated by inspecting the raw SKILL.md for control characters or embedded injection payloads.
Install Mechanism
There is no install spec (instruction-only from the registry perspective), which is low-risk because nothing is downloaded at install time. However the package includes multiple local Python scripts (github_api.py, llm_generator.py, image_generator.py, etc.) that will be executed by users/agents. No external installers or remote downloads are specified in the manifest, so install-time risk is limited — but you should still review the included scripts before running them.
Credentials
The only required secret in the manifest/README/code is GITHUB_TOKEN, which is appropriate for a tool that calls the GitHub API. That token requirement is proportionate. The inconsistency is that the registry metadata in the header claims 'no required env vars' while manifest.yaml and the code require GITHUB_TOKEN — this documentation mismatch reduces trust and should be resolved before use. Also the tool writes cache files to ~/.cache/github-to-rednote which is expected but worth noting.
Persistence & Privilege
The skill does not request 'always: true' and does not declare modifications to other skills or system-wide settings. It creates cache files under the user's home directory (~/.cache/github-to-rednote) and writes generated images/articles to user-specified output paths — these are expected behaviors and within the scope of the skill.
Scan Findings in Context
[system-prompt-override] unexpected: Not expected. A content-generation skill should not attempt to override the agent's system prompt. The SKILL.md was flagged; inspect the raw SKILL.md for hidden control sequences or explicit instructions that try to modify the agent/system prompt.
[unicode-control-chars] unexpected: Not expected. Presence of unicode control characters may be used to hide or obfuscate text, including prompt-injection payloads. Verify SKILL.md and other plaintext files for invisible characters before running.
What to consider before installing
Before installing or running this skill: 1) Inspect raw files: open SKILL.md, manifest.yaml, and scripts/llm_generator.py and image_generator.py in a text editor that can show invisible/control characters. The pre-scan flagged possible system-prompt override and unicode-control characters in SKILL.md — remove or investigate any unexpected control characters or instructions that attempt to change agent/system prompts. 2) Confirm environment variable expectation: manifest.yaml and the code require a GITHUB_TOKEN. Do NOT provide a token with wide write/admin scopes. For public repo reads use a token with minimal scopes (public_repo or no repo write scopes). If you only need public repository metadata, prefer a token limited to read-only access. 3) Review network behavior in llm_generator.py: README claims 'no external LLM API keys required' and the code uses an OpenClaw agent client, but inspect llm_generator.py to ensure it does not call external LLM services (OpenAI/Anthropic/etc.) or unexpected endpoints. If it makes outbound network requests beyond api.github.com, evaluate whether those are necessary. 4) Check subprocess usage: image_generator.py imports subprocess and may invoke external converters (cairosvg or system binaries). Ensure it doesn't construct shell commands from untrusted input (e.g., repo README content) that could lead to command injection. 5) Sandbox and least privilege: run the tool in a sandboxed account or container first. Clear or inspect cache files under ~/.cache/github-to-rednote if concerned. Do not run with elevated privileges. 6) If you plan to use this skill autonomously, be extra cautious: prompt-injection indicators combined with autonomous invocation increase risk. If you cannot verify the SKILL.md and llm_generator contents, avoid granting it autonomous execution. If you want, I can: (a) search the included files for suspicious function calls or remote endpoints, (b) display the raw SKILL.md with visible-control-character highlighting, or (c) summarize llm_generator.py and any subprocess calls found in image_generator.py to help you decide.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rbx0mr3df2vmjnxcz7d4f1836qvc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments