公众号文章创作
WarnAudited by ClawScan on May 10, 2026.
Overview
The writing workflow is understandable, but the skill bundles a live-looking image API key and has unsafe image output filename handling, so it needs review before use.
Do not install this skill as-is unless the bundled API key is removed and revoked. Configure your own image API key through a secure local mechanism, approve image generation only for content you are comfortable sending to ZhipuAI, and patch the image script so output filenames cannot escape the intended folder.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing or viewing the skill could use or leak the bundled API credential, potentially causing account abuse, charges, or loss of control over the API account.
The skill ships a token-like ZhipuAI API key in a config file, and SKILL.md also presents it as the current configured key, while metadata declares no credential requirement.
API_KEY=88e6f80c…74cOvJgmo1t48yrv
Remove and revoke the bundled key, require each user to provide their own key through a declared environment variable or secure credential store, and never publish real secrets in skill files.
If a prompt file is edited or generated with unsafe IDs, the image downloader could overwrite or create files outside the expected image folder.
The script uses the input JSON/JSONL id directly as a filename. A crafted id containing path separators could write outside the intended output directory; the defined _safe_filename_part helper is not used.
request_id = str(raw.get("id", f"{idx:02d}")).strip(); filename = f"{request_id}.png"; output_path = out_dir / filenameSanitize request_id before use, reject path separators and parent-directory components, resolve the final path, and enforce that all outputs stay inside the chosen output directory.
Users may not realize a third-party Python package must be installed and trusted before image generation works.
The image-generation script depends on a third-party package installed manually at use time, while the registry/install section lists no install spec or required dependency.
pip install zhipuai
Declare the dependency in the skill metadata or install spec, pin an expected version where possible, and tell users to install it only from a trusted package source.