Back to skill
Skillv1.0.2
ClawScan security
易企秀H5制作 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 11:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required inputs are coherent with its stated purpose of creating/editing 易企秀 H5 pages; it stores a service token locally and talks only to eqxiu-related endpoints.
- Guidance
- This skill appears to do what it claims: it runs a local Python CLI to call 易企秀 APIs. Before installing, be aware that: - You will need to provide an X-Openclaw-Token; the script will save it to ~/.eqxiu/config.json (it attempts to set file perms to 600). - The client makes network requests to eqxiu domains (ai-api.eqxiu.com, material-api.eqxiu.com, passport.eqxiu.com, etc.) and will send your token with those requests — only supply a token you trust this code to use. - Upload commands read local files you point them at and may require installing the cos-python-sdk-v5 package for COS uploads. - If you have concerns, review the included Python files (especially config_store.py and upload_material.py) and test in a controlled environment before granting access to sensitive tokens or uploading private files.
Review Dimensions
- Purpose & Capability
- okName/description describe an 易企秀 H5 creator; the bundled Python client and CLI call eqxiu AIGC, material, passport and COS-related APIs (e.g., ai-api.eqxiu.com, material-api.eqxiu.com, passport.eqxiu.com). The requested actions (category/style/outline/scene-tpl/pipeline/material upload/replace-image) match the stated functionality.
- Instruction Scope
- okSKILL.md instructs running the included scripts and the client code only references expected files, ~/.eqxiu/config.json, and eqxiu endpoints. It requires an X-Openclaw-Token and optionally local file paths for uploads — all within the skill's domain. There are no instructions to read unrelated system files or to send data to external endpoints outside eqxiu domains.
- Install Mechanism
- okNo external install spec (instruction-only) and no downloads; code is bundled in the skill. The only runtime dependency is Python packages (requests; cos-python-sdk-v5 only needed for COS uploads) which is documented in SKILL.md and present in comments. No suspicious remote installers or extracted archives.
- Credentials
- okThe skill requires an X-Openclaw-Token (stored in ~/.eqxiu/config.json) and exposes a few environment-variable overrides for API base URLs/timeouts — these are proportionate to an API client. No unrelated credentials or broad environment access are requested.
- Persistence & Privilege
- okalways:false and normal autonomous invocation. The only persistent change is saving the token to ~/.eqxiu/config.json (with chmod attempt). The skill does not modify other skills or system-wide settings.