ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Content Planner

v1.0.2

社交媒体内容排期器。帮助用户规划、创建和管理多平台内容日历。支持小红书、知乎、抖音、微信公众号等平台的内容策划、排期和发布管理。

0· 91·0 current·0 all-time
by@dxie48892-jpg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name and description promise multi-platform planning, hotspot tracking ("调用搜索引擎") and publishing management, but the included code (scripts/planner.py) only generates simple local JSON topic/title/tag stubs. The declared features in SKILL.md/_meta.json exceed what is actually implemented. Also registry metadata lists version 1.0.2 while _meta.json is 1.0.1 — a minor metadata inconsistency.
Instruction Scope
SKILL.md instructs running the local Python script (cd scripts; python planner.py) and shows no instructions to read system files or use secrets. However, SKILL.md and README mention '热点追踪(调用搜索引擎)' and '一键导出发布格式' which would imply network access or platform APIs; the shipped runtime instructions and code do not perform network calls. This mismatch could lead to surprising behavior if the skill is later updated to include network/publishing capabilities.
Install Mechanism
No install spec is provided (instruction-only with an included small Python script). Nothing is downloaded or extracted during install; no extra packages are requested. This is low-risk from an install mechanism perspective.
Credentials
The skill declares no required environment variables, no credentials, and the code does not access environment variables or secrets. There is no disproportionate credential request.
Persistence & Privilege
always is false, the skill does not request persistent/system privileges, and it does not modify other skills or system-wide settings. No elevated persistence is requested.
What to consider before installing
This package appears to be a simple local content-generator (prints JSON with titles/tags). Before installing or using it: 1) Inspect the single script (scripts/planner.py) yourself — it is short and readable and currently contains no network calls or secret usage. 2) Note the documentation promises extra features (hotspot tracking, multi-platform publishing) that are not implemented; confirm with the author or source if you expect those features. 3) Because the source/homepage is unknown and metadata versions mismatch, run it in a sandbox or isolated environment if you want to test it. 4) Do NOT provide any API keys, platform credentials, or other secrets to this skill until you verify it actually needs them and you trust the source. 5) If you require hotspot tracking or automated publishing, prefer a skill with transparent network/publishing code and a known, trustworthy source.

Like a lobster shell, security has layers — review code before you run it.

latestvk974sydksyz1jvyb9rp4smxwc183dywb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments