自然语言Skill生成器
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on a skill folder containing drafts, private files, or secrets, those files could be pushed to a public repository or published through the user's account.
The publish helper stages the entire skill directory, publishes to ClawHub, and creates/pushes a public GitHub repository without an in-script file review, secret check, dry-run, or confirmation prompt.
subprocess.run(["git", "add", "."], cwd=local_path, check=True) ... subprocess.run([CLAWHUB_CMD, "publish", skill_name], ...) ... ["gh", "repo", "create", repo_name, "--public", "--source", ".", "--push"]
Require explicit confirmation showing the destination and exact file list, add a secret scan or allowlist, and consider defaulting GitHub repositories to private unless the user confirms public release.
Bad or manipulated generated output could cause files to be written outside the intended skill folder or overwrite another skill's files if the save helper is used.
A generated or parsed skill name is used directly as a filesystem path component before writing SKILL.md and _meta.json, without enforcing kebab-case, rejecting path separators, or checking that the resolved path remains inside the skills directory.
"name": data.get("name", "untitled-skill"),
...
skill_name = skill.get("name", "untitled-skill")
skill_dir = output_dir / skill_name
skill_dir.mkdir(parents=True, exist_ok=True)Validate skill names with a strict kebab-case regex, reject absolute paths and '..', resolve the final path, ensure it stays under the intended skills root, and show the target path before writing.
Publishing will act as whichever ClawHub/GitHub account is currently logged in on the machine.
The publish flow relies on local ClawHub and GitHub CLI identity/session state, even though no primary credential or required auth setup is declared in the metadata.
CLAWHUB_CMD = "clawhub" ... ["gh", "repo", "create", repo_name, "--public", "--source", ".", "--push"]
Document the required accounts and scopes, display the active account before publishing, and require user confirmation before using delegated account authority.
Users may not realize the skill depends on locally installed tools and their configuration until publishing is attempted.
The helper depends on external git and GitHub CLI tools, plus clawhub elsewhere in the script, but the skill metadata lists no required binaries or install requirements.
subprocess.run(["git", "init"], cwd=local_path, check=True)
...
subprocess.run(["git", "commit", "-m", f"Add {skill_name} skill"], ...)
...
subprocess.run(["gh", "repo", "create", repo_name, "--public", "--source", ".", "--push"], ...)Declare git, gh, and clawhub as optional publishing dependencies and document setup, authentication, and expected side effects.
Generated promotional text may remain available to future sessions or workflows even if the user only expected a one-time draft.
The script saves generated promotional content into the OpenClaw memory directory, making it persistent beyond the immediate publish task.
output_file = f"~/.openclaw/workspace/memory/douyin-publish-{skill_name}-{datetime.now().strftime('%Y%m%d')}.md"
with open(os.path.expanduser(output_file), 'w') as f:
f.write(post)Tell the user before writing to memory, allow a no-save option, and make cleanup instructions clear.