HappyCoding AI Coding
Security checks across malware telemetry and agentic risk
Overview
This is a plausible coding workflow, but it may let the agent use a logged-in account to save and publish projects, so approval boundaries should be reviewed before use.
Install or use this skill only if you want the agent to operate inside the HappyCoding/Xiaochang AI Coding account. Before allowing it to proceed, confirm the exact project, review the preview or final code, and approve any save or publish action. Do not put real API keys into public frontend code.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could act under an existing platform account, and project edits or publications may be attributed to that account.
The workflow tells the agent to rely on an existing logged-in platform account/session. That is high-impact account authority, and the artifact does not clearly define approval, project scope, or credential/session boundaries.
账号:小畅openclaw(通常已登录,失效再处理)
Require explicit user confirmation before using any logged-in session, clearly declare the needed account access, and restrict actions to user-specified projects.
A project could be saved or published before the user has reviewed the final code, screenshots, or public link.
The instructions require project-level saving and publishing, which can permanently mutate a project and expose it via a cloud/share link, without an explicit approval checkpoint in the artifact.
保存到项目:必须点左侧“我的项目”下方绿色保存(这是项目级提交)。 发布并回传链接:发布成功后记录分享链接与关键截图。
Add a clear rule to ask the user to confirm the exact project, final diff/preview, and publication target before saving or publishing.
If a real API key is placed directly into published frontend code, other people may be able to see or misuse it.
The skill documents an API-key-authenticated provider call. This is purpose-aligned for the image-generation API, but the artifact gives little guidance on safe storage or avoiding exposure in published client-side code.
Header:
- x-api-key: {{your key}}Use a server-side proxy or secret-management mechanism where possible, and do not hardcode real API keys into public client-side code.
Generated-image history may remain in the browser after the session and could be visible to someone using the same browser profile.
The generated project is instructed to persist image-generation history in browser localStorage. It is bounded to 10 items, but it is still local persistent data.
历史记录存 localStorage.imageHistory(最多10条)
Make the local history visible to users, provide a clear delete/clear option, and avoid storing sensitive prompts or images unless the user expects it.