Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Official Account Assistant
v1.0.0公众号超级助手。支持 AI 降味写作、自动发布文章、智能配图生成。让文章完全不像 AI 写的。
⭐ 0· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims automatic publishing to 微信公众号 and integrations with DALL·E/Midjourney, which normally require API credentials and network calls. The package declares no required environment variables, no publishing or image-service credentials, and no install steps. The single included Python file (official_account.py) only manipulates a local articles.json and performs simple text transformations; it does not implement any network calls, OAuth flows, or publishing logic. Several files and scripts referenced in SKILL.md (scripts/remove_ai_flavor.py, scripts/auto_publish.py, scripts/generate_images.py, references/*, assets/*) are referenced but not present in the manifest, a strong mismatch with the stated purpose.
Instruction Scope
SKILL.md describes multi-step automated publish flows (scan QR to login, authorize API access, upload content, schedule pushes) and external image generation services, but gives no concrete commands, endpoints, or environment variable names — and the referenced helper scripts are missing. The included official_account.py implements only local drafting/humanizing and writes to articles.json; it does not access environment variables, system-wide config, or network endpoints. The instructions therefore either rely on missing code or expect the agent/operator to supply sensitive credentials interactively, which is not documented.
Install Mechanism
No install spec is provided (instruction-only skill with one Python file). That is lower-risk from an installation perspective because nothing is downloaded or executed automatically during install. However, missing referenced scripts mean functionality depends on additional code not bundled here.
Credentials
The SKILL.md requires actions that would require credentials (WeChat official account login / API authorization, API keys for DALL·E/Midjourney) but the skill declares no required environment variables or primary credential. This is disproportionate and inconsistent: either the skill should request the appropriate credentials, or it shouldn't claim to perform those networked actions. Lack of declared credential usage makes it unclear how secrets would be provided or stored if the missing scripts were later added.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config or other skills' settings. The included code writes only to a local articles.json file in the skill directory. There is no evidence of privileged persistence or modification of other skill configurations.
What to consider before installing
This package is internally inconsistent: the documentation promises auto-publish and AI image integrations (which require API keys and network code), but the bundle only contains a simple local helper (official_account.py) and several referenced scripts/resources are missing. Before installing or providing any credentials: 1) ask the author for the missing scripts and a clear list of required environment variables and where credentials are stored; 2) inspect any auto_publish or generate_images scripts for network endpoints and any code that sends data off-machine; 3) never supply your WeChat/third-party API keys until you can review the exact code that uses them; 4) if you want to test the shipped functionality, run official_account.py in an isolated environment (container or VM) to confirm it only operates locally. If the author cannot provide the missing components and a trustworthy source/repo (e.g., a public GitHub URL with release history), treat the skill as incomplete and avoid connecting live credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97a7wdkx7z89gw6426aa5y40183z7qc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.