财税公众号小助手
ReviewAudited by ClawScan on May 10, 2026.
Overview
这个技能主要用于生成财税文章,但其命令配置指向硬编码的本机脚本路径且包含未随包提供的脚本,使用相关命令前需要人工核对。
Before installing, verify whether the command JSON is actually used by your OpenClaw setup. Do not run the /fin-review commands until editorial-workflow.js is included and paths are changed to package-relative locations. Also note that image generation uses Unsplash over the network and writes files locally, and optional Coze/Word-conversion guides may upload article content to third-party services.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Some advertised review commands could execute code outside the installed skill package, so the behavior may not match what was reviewed here.
The configured review commands execute a hardcoded absolute local path, and the referenced editorial-workflow.js is not included in the provided file manifest. If this command mapping is used, it may fail or run a local script that was not part of the reviewed package.
"args": ["E:\\Claude Code\\claude\\skills\\editorial-workflow.js", "--topic", "{topic}"Replace absolute paths with package-relative paths and include every referenced script in the package, or remove the review commands until the helper script is provided and reviewed.
Image generation relies on a bundled third-party service credential; it may stop working if the key is revoked or rate-limited, and use of the key is not separately declared in metadata.
The image helper embeds an Unsplash API key directly in source code rather than requiring a user-provided or environment-scoped credential.
const API_KEY = 'qekoFPuHK6YT6369knsRXQ6ZeUkgbI2xPZKZ3qaRvyk';
Disclose the Unsplash dependency and move the API key to an environment variable or documented configuration.
Using image commands will make external network requests and create local image files.
The配图 helper contacts Unsplash and writes downloaded images to a local articles/images directory, which is expected for image generation but should be visible to users.
https://api.unsplash.com/search/photos?...client_id=${API_KEY} ... const stream = fs.createWriteStream(filePath);Confirm that external image download is acceptable before using the配图 commands, and review where generated files are saved.
If users follow that optional guide, article content may be shared with an external conversion service.
An optional Coze deployment guide shows sending generated Markdown article content to a third-party conversion API.
"url": "https://api.convertapi.com/Word/MdToWord" ... "Data": "{{{markdown_content}}}"Use third-party conversion only for content you are comfortable uploading, and document the provider, retention, and privacy implications.