番茄小说自动创作发布一条龙
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill’s purpose is clear, but it can use a logged-in Fanqie account to auto-publish generated chapters while credential and review boundaries are under-declared.
Install only if you are comfortable letting the skill and its dependencies use your Fanqie writer session to publish content. Review the dependent fanqie-publisher skill, inspect generated chapters and `.learnings` files, and disable or avoid automatic publishing unless you want chapters posted without a separate manual approval step.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated or converted chapters could be posted to the user’s Fanqie account before the user has reviewed each chapter.
This batch workflow publishes every Markdown chapter in the output directory without showing an explicit per-chapter approval or draft step. Public posting to a writer account is a high-impact action even when it matches the skill’s purpose.
md_files = list(output_dir.glob("*.md")) ... for f in sorted(md_files): ... result = self.publish_chapter(work_title, str(f), interval)Default to draft/manual mode, require explicit confirmation before batch publication, and clearly document how users can preview, cancel, or undo publishing.
Running the skill may act through the user’s logged-in Fanqie writer account, including publishing content, even though the registry does not surface a credential requirement.
The skill expects access to a persistent Fanqie session cookie, while the registry metadata declares no primary credential and no required config path. That under-declares the account authority involved.
Cookie 文件:`~/.openclaw/skills/fanqie-publisher/scripts/fanqie_cookies.json`
Declare the Fanqie session/cookie requirement in metadata, explain exactly what account actions are possible, and avoid using stored session cookies unless the user explicitly opts in.
The actual login and publishing behavior depends on another local skill; if that dependency changes or is untrusted, it can affect the same account-publishing authority.
The skill dynamically imports publishing functions from a separately installed skill. This is purpose-aligned, but the reviewed artifact set does not pin or include that dependency’s implementation.
self.scripts_dir = Path.home() / ".openclaw/skills/fanqie-publisher/scripts" ... sys.path.insert(0, str(self.scripts_dir)) ... from main import publish_batch
Install dependencies only from trusted sources, pin/review the dependent skill versions, and document the dependency contract in the install metadata.
Old or edited memory files could shape future chapters and may lead to unintended content being generated or published.
The generator reads persistent local story-memory files. This is scoped and expected for novel generation, but those files can influence later generated and potentially published chapters.
self.learnings_dir = self.work_dir / ".learnings" ... return self.load_learning("STORY_BIBLE.md")Review the `.learnings` files before publishing and keep them limited to the intended project.
A user may believe chapters are automatically reviewed and revised before publication when the reviewed source does not substantiate that safeguard.
The README claims built-in quality checking and automatic revision, but the provided code does not show an implemented quality-check/revision workflow and the CLI references missing workflow methods. This can make users over-trust the automation before public posting.
- 内置质量检查,不达标自动修订
Either implement and document the review workflow clearly or remove/qualify the safety and quality-check claims; require human review before publishing.