Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wechat Article
v1.0.0微信公众号创作技能,按照傅盛写作风格指南创作口语化、故事感、有态度的文章
⭐ 0· 26·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (write WeChat public-account articles in a specific style) is straightforward and would not normally require running system scripts or external publishing tooling. However, the SKILL.md explicitly calls a script at /usr/lib/node_modules/openclaw/skills/nano-banana-pro/scripts/generate_image.py and references 'wechat-mp-toolkit' for publishing — capabilities that are not explained or declared in the skill metadata.
Instruction Scope
Instructions direct the agent to run an external image-generation script at a hard-coded system path and to use an external publishing tool. The skill also says to 'read the writing style guide' without specifying where—potentially implying reading files or system state not contained in the skill. These steps expand the runtime scope beyond simple text-generation and grant the agent discretion to execute arbitrary local scripts.
Install Mechanism
There is no install spec (instruction-only), which limits installation risk. However, the SKILL.md references a script in /usr/lib/node_modules/... (another skill's install path). That reference implies reliance on files installed elsewhere; if that path is present, the skill expects to execute code from it, which raises risk even though this skill does not itself install anything.
Credentials
No environment variables or credentials are declared, but the publishing step ('使用 wechat-mp-toolkit 发布') would normally require credentials or tokens. The absence of declared env vars/credentials is inconsistent with the publish action. Additionally, invoking a script in another skill's node_modules path could access other configs or secrets on the system.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time changes declared. It is user-invocable and allows normal autonomous invocation (platform default). There is no evidence the skill modifies other skills' configs or requests persistent elevated privileges.
What to consider before installing
This skill is primarily a writing template, which is fine, but the instructions try to run an external image-generation script at /usr/lib/node_modules/openclaw/skills/nano-banana-pro/scripts/generate_image.py and to publish via 'wechat-mp-toolkit' without declaring any credentials. Before installing or running it: 1) Verify whether that generate_image.py exists on your system and inspect its contents — do not run it until you trust it. 2) Confirm where the 'writing style guide' is stored (local file, remote URL, or embedded text); avoid granting broad file-read permissions. 3) If you plan to use the publishing step, ensure the required WeChat publishing credentials are provided separately and follow least privilege; do not hardcode secrets. 4) Prefer running the image-generation and publishing steps in a sandbox or isolated environment first. If these external tools/scripts are intentional and trusted, ask the skill author to declare them (install steps and required env vars) so the behavior is transparent.Like a lobster shell, security has layers — review code before you run it.
latestvk971a28qps2zpwx1q0ec52d265843ahy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.