ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

article-idea-capture

v0.1.0

Record公众号文章灵感、选题、半成品观点,并持续整理成可写的大纲或初稿。Use when the user says they have an article idea, topic, inspiration,选题, 钩子, 标题想法, or wants to save a thought for later...

0· 218·2 current·2 all-time
by@g-hanasq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (capture and expand article ideas) matches the instructions for creating concise idea cards and expanding them. However, the SKILL.md expects appending to a specific Feishu doc URL (primary sink) even though the skill metadata declares no required tools, credentials, or environment variables — a capability mismatch.
!
Instruction Scope
Instructions tell the agent to append to a specific Feishu doc URL or, if unavailable, to a local absolute path (/Users/shiyi/.openclaw/workspace/research/article-idea-pool.md). That requires write access to local filesystem and/or Feishu API access. The skill does not explain how to authenticate to Feishu, nor does it make the fallback path configurable; hardcoded user-home paths can lead to unexpected access attempts on the host.
Install Mechanism
There is no install spec and no code files (instruction-only). This minimizes on-disk installation risk.
!
Credentials
No environment variables or credentials are declared, yet the skill expects to write to a Feishu document (external service) — implicitly requiring Feishu credentials or an authenticated tool. Also, the hard-coded local path targets a specific user directory (shiyi) which may not match the current environment and could cause accidental writes outside an expected workspace.
Persistence & Privilege
always is false and the skill is user-invocable only; it does not request elevated or persistent platform privileges. No evidence it modifies other skills or system-wide configs.
What to consider before installing
This skill is plausibly doing what it says (saving and expanding article ideas) but the runtime instructions assume access to a specific Feishu doc and a hard-coded local path while declaring no credentials or tools. Before installing or enabling it: 1) Confirm whether your agent environment has a Feishu integration and whether that Feishu doc URL belongs to you — do not provide Feishu credentials unless you trust the skill source. 2) Ask the skill author to declare required tools/credentials (or make Feishu optional/configurable) and to avoid hard-coded absolute paths; request a configurable workspace path instead. 3) If you do not want writes to your filesystem, ensure the agent is prevented from using the fallback local path or update the fallback to a safe, user-controlled workspace. These steps will reduce the risk of unexpected data writes or accidental disclosure of credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767z7q2jghgwe6pg3bk7a28n82tnj5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments