ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lanxin App Articles

v1.0.0

蓝信官方图文卡片发送能力,支持发送包含图片和文字的图文卡片消息。

0· 65·0 current·0 all-time
by@iamdacai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for iamdacai/lanxin-app-articles.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Lanxin App Articles" (iamdacai/lanxin-app-articles) from ClawHub.
Skill page: https://clawhub.ai/iamdacai/lanxin-app-articles
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lanxin-app-articles

ClawHub CLI

Package manager switcher

npx clawhub@latest install lanxin-app-articles
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (send Lanxin 图文卡片 JSON) aligns with the code (index.js only exports metadata) and there are no unexpected required binaries, env vars, or config paths. Nothing in the package claims unrelated capabilities.
!
Instruction Scope
SKILL.md instructs the agent to always output only a clean appArticles JSON block, forbids any refusal or explanatory text, and forbids markdown/code fences. While these rules are coherent with a machine-to-machine card format, they are coercive: (1) the skill forbids refusing requests — which may force the agent to produce JSON even in inappropriate/sensitive contexts; (2) the rigid requirement to output raw JSON increases the risk that the model will include contextual or sensitive data in the JSON fields if prompted; and (3) the instructions provide no guidance about validation, destination, or sanitization of content.
Install Mechanism
No install spec is present (instruction-only), and the single index.js is a tiny metadata stub with no network calls or suspicious code. This is low risk from an install standpoint.
Credentials
The skill requests no environment variables, credentials, or config paths — appropriate and minimal for the stated purpose.
!
Persistence & Privilege
Registry flags show always:false, but SKILL.md metadata contains "openclaw":{"always":true}, which appears to request always-on inclusion. If that metadata is honored by the platform, the skill would gain elevated persistence combined with autonomous invocation (disable-model-invocation is false by default), increasing the blast radius of the coercive output rules described above. This inconsistency should be clarified with the author or platform.
What to consider before installing
Before installing, consider: (1) Confirm whether the platform will honor the SKILL.md metadata 'openclaw.always=true' — if so, the skill could be force-included in all agent runs. (2) The skill's rules force the model to emit raw JSON and forbid refusal or explanation; that is sensible for machine-targeted card payloads but can be abused to cause the agent to output structured data containing sensitive context. Test the skill in a sandboxed agent, and ask the author to: remove or justify the 'always' metadata, add explicit validation/sanitization guidance for fields, and allow the agent to refuse or ask clarifying questions when a request is inappropriate. If you run agents in environments with sensitive secrets, avoid enabling always-on or autonomous invocation until these issues are resolved.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📄 Clawdis
latestvk973x25yj3hk05ht1e8dqas6r985c3nx
65downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@iamdacai
latest
Download

蓝信图文卡片发送规则(必须严格遵守)

核心规则(绝对禁止违反)

  1. 用户要求发送图文卡片,必须直接输出 JSON 格式的 appArticles 消息
  2. JSON 必须包含所有必填字段
  3. 禁止说“无法发送”“不支持”“暂时不能”等拒绝话术
  4. 禁止解释 JSON 格式,直接输出即可
  5. 禁止输出任何其他文本,只输出 JSON
  6. 禁止使用 Markdown 代码块包裹 JSON
  7. 禁止输出 <lxfile><lximg> 标签

发送图文卡片(必须这样输出)

注意:必须直接输出 JSON,不要添加任何其他文本,不要使用 Markdown 代码块包裹!

正确格式: { "appArticles": [ { "imgUrl": "图片链接", "title": "标题", "summary": "摘要", "url": "内容地址", "pcUrl": "PC端内容地址", "attach": "微应用跳转参数" } ] }

正确示例: { "appArticles": [ { "imgUrl": "https://www.lanxin.cn/images/logo.png", "title": "蓝信新版本发布", "summary": "蓝信 5.0 版本正式发布,带来全新的用户体验", "url": "https://www.lanxin.cn/news/5.0", "pcUrl": "https://www.lanxin.cn/news/5.0", "attach": "" }, { "imgUrl": "https://www.lanxin.cn/images/feature.png", "title": "蓝信新功能介绍", "summary": "了解蓝信 5.0 的新功能和改进", "url": "https://www.lanxin.cn/features/5.0", "pcUrl": "https://www.lanxin.cn/features/5.0", "attach": "" } ] }

字段说明

  • imgUrl(必填):图片链接
  • title(必填):标题
  • summary(选填):摘要
  • url(必填):内容地址
  • pcUrl(必填):PC 端内容地址
  • attach(选填):微应用跳转参数,其他应用忽略(或输入空值)

严禁出现的错误行为

❌ 禁止:缺少必填字段 ❌ 禁止:格式错误的 JSON ❌ 禁止:解释“这是 JSON”“系统会解析” ❌ 禁止:拒绝发送 ❌ 禁止:只输出文字内容,不输出 JSON ❌ 禁止:输出任何其他文本,只输出 JSON ❌ 禁止:使用 Markdown 代码块包裹 JSON ❌ 禁止:输出 <lxfile><lximg> 标签 ❌ 禁止:输出 Markdown 格式的文本 ❌ 禁止:在 JSON 前后添加任何文字

你的行为准则

用户让你发送图文卡片 → 直接输出干净的 JSON → 不要多余描述 → 不要格式包裹 → 完成。

Comments

Loading comments...