Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Story Writer
v2.0.2小说创作、角色设计、情节设计(三幕式)、对话生成、世界观构建、续写。Story writing with character design, three-act plot structure, dialogue generation, worldbuilding. Supports bilingual docum...
⭐ 1· 1.2k·4 current·4 all-time
byBytesAgain2@ckchzh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: both scripts generate outlines, characters, plots, worldbuilding, etc. The included bash tools are appropriate for the stated purpose. Minor mismatch: SKILL.md lists python3 as a requirement but none of the shipped scripts use Python.
Instruction Scope
SKILL.md is user-facing guidance and does not mention the scripts' side effects: the shell scripts create a data directory (default $XDG_DATA_HOME or $HOME/.local/share/story-writer), write story drafts, character lists, and an activity history.log. The metadata declared no config paths or env vars, yet the code reads STORY_DIR/XDG_DATA_HOME and writes files — this persistence behavior is not documented in SKILL.md.
Install Mechanism
No install spec is present (instruction-only), and the included files are local bash scripts. No network downloads or external installers are called in the scripts.
Credentials
The skill declares no required credentials or sensitive env vars. It optionally respects STORY_DIR and XDG_DATA_HOME for storage location, which is proportional. No external endpoints or credentials are requested.
Persistence & Privilege
The scripts persist data under a per-user data directory (stories/, characters/, history.log). always:false and no elevated privileges are requested. However, the tool will write files into the user's home directory by default.
What to consider before installing
This skill appears to be a local story-writing toolkit implemented as bash scripts. It does not contact the network or request credentials, which is good. Before installing or running it: 1) Note that it will create and write files under ~/.local/share/story-writer (or $XDG_DATA_HOME or $STORY_DIR if set); if you want to avoid that, set STORY_DIR to a safe folder. 2) The SKILL.md incorrectly lists python3 as a requirement — the scripts are bash-based, so python isn't needed. 3) The scripts write files using user-supplied names (e.g., save <name>), which could allow path traversal if names are not sanitized — avoid passing untrusted or specially crafted names and review the cmd_save implementation. 4) Review the provided scripts yourself (or run them in a sandbox/container) before giving the agent permission to execute them. If you plan to let the agent run the skill autonomously, remember it will be able to write files to your user data directory, so limit privileges accordingly.Like a lobster shell, security has layers — review code before you run it.
chinesevk976cfm08xz2zs3f01prsx460d82ph2elatestvk976n32gk2eqtby7s51rwztfc583pan4productivityvk976cfm08xz2zs3f01prsx460d82ph2e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.