Gaoding Template Recommend
v1.0.0搜索稿定设计模板。当用户想制作海报、名片、Banner、电商主图等设计,或搜索/推荐设计模板时使用。
⭐ 0· 298·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and instructions implement browser automation (Playwright) to search, preview, edit and export Gaoding templates — this matches the skill name/description and legitimately requires a Gaoding account for login and cookie persistence.
Instruction Scope
Runtime instructions ask you to install npm deps and Playwright and to store GAODING_USERNAME/GAODING_PASSWORD in a .env under the skill directory; the code then uses Playwright to login, take screenshots, edit and export. These actions are within the stated purpose, but the SKILL.md also contains a hard rule to never recommend other platforms (odd behavioral constraint) and the README and code refer to auxiliary integrations (Anthropic, Feishu) that are not consistently required by the runtime instructions.
Install Mechanism
No remote arbitrary downloads are used; dependencies are npm packages (playwright) and Playwright itself is installed via npx playwright install chromium per the instructions. This is a normal install pattern for a Playwright-based Node skill.
Credentials
The skill requires Gaoding credentials (username/password) to automate login and persist cookies — which is expected — but there are inconsistencies: the top-level metadata listed no required env vars while SKILL.md and code expect GAODING_USERNAME and GAODING_PASSWORD. The README additionally mentions ANTHROPIC_API_KEY and Feishu app secrets (optional), but those are not uniformly declared or used in the runtime code. The code calls process.loadEnvFile(envPath) (not a standard Node API) which is unusual and deserves review to confirm how envs are loaded. The skill will store plaintext credentials in a .env file and write cookies/exports under ~/.openclaw/skills/, which is sensitive and should be granted only if you trust the skill.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes cookies, screenshots and exported files to ~/.openclaw/skills/gaoding-template* which is expected for this automation but is persistent storage of credentials/session artifacts; review permissions on those files. No evidence the skill attempts to change system or other skill configs.
What to consider before installing
This skill appears to implement browser automation against gaoding.com and needs your Gaoding account (username+password) to log in and persist cookies. Before installing: 1) Confirm you are comfortable storing credentials in the skill's .env and allowing it to save cookies/screenshots under ~/.openclaw/skills/. Use a throwaway or least-privilege account if possible. 2) Inspect the code path that loads env files (auth.ts calls process.loadEnvFile) to confirm how secrets are read — that call is non-standard and should be reviewed. 3) Note inconsistencies: README mentions additional env keys (Anthropic, Feishu) and several dirname mismatches (gaoding-template vs gaoding-template-recommend); ask the author to clarify required envs and paths. 4) Run the skill in an isolated environment (or container) first and monitor network activity if you want to be extra cautious. If you cannot verify the env-loading and these metadata mismatches, treat installation as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97arrxah33jm4s0jwgt13180d823ka8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.