Back to skill
Skillv1.0.0
ClawScan security
XHS Big Text Poster 小红书大字风格封面配图 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 3:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only workflow for generating and sending marketing-style images; its declared purpose, tools, and file usage are internally consistent and proportional.
- Guidance
- This skill appears coherent and safe as an image-generation+delivery workflow. Before installing, confirm: (1) you are okay with images being written to /workspace/xhs/; (2) the hardcoded recipient ('廖老师') is intended — the skill will send final images externally via your Feishu integration; and (3) your platform has the Feishu messaging and image-hosting (CDN) capability the instructions assume. If any of those are undesirable, edit the SKILL.md to change the recipient, output path, or how images are uploaded/sent.
Review Dimensions
- Purpose & Capability
- okName/description (make 小红书 big-text images) match the instructions: generate base images, refine copy, overlay text, save to /workspace/xhs/, and send via Feishu. The referenced tools (image_synthesize, images_understand, message) are coherent with the stated purpose.
- Instruction Scope
- noteRuntime instructions remain within the stated workflow: generate base image, confirm with images_understand, overlay text, and send via Feishu. Small implementation vagaries: the skill hardcodes output paths (/workspace/xhs/) and a fixed recipient ('廖老师'), and it refers to sending a '图片CDN路径' without specifying the upload step — these are operational details rather than scope creep.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This minimizes disk writes and external install risk.
- Credentials
- noteThe skill requests no environment variables or credentials in its metadata, which is proportional. However, it relies on the agent/platform having a Feishu messaging integration (and associated credentials) and a way to host/produce a CDN path for images — those platform-level capabilities/credentials are assumed but not requested by the skill itself.
- Persistence & Privilege
- okalways is false, the skill does not request persistent system-wide privileges or modify other skills. It writes output to its own workspace path only.