ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小红书爆款标题生成

v1.0.0

基于用户输入的任何信息生成小红书爆款标题的专业工具。无论用户输入什么,最终目标都是生成小红书爆款标题。任务只在主agent执行,不在子agent执行。

0· 36·0 current·0 all-time
by@if530770
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (generate XHS titles) align with included files: instructions describe querying trend data and the repo contains a script that fetches XHS-related data and then the SKILL.md describes analysis+generation. Requesting no credentials and no binaries is coherent for this purpose.
!
Instruction Scope
SKILL.md and references/core_workflow.md require reading local policy files and running scripts that call an external API with the user's input as a 'keyword' parameter. That means arbitrary user-provided text will be transmitted to a third party as part of normal operation — a privacy/data‑exfiltration risk if users supply sensitive content.
Install Mechanism
No install spec (instruction-only with one Python script). Not installing third‑party packages or downloading archives reduces risk; the script relies on Python standard libs and requests declared but no package install is specified.
!
Credentials
The skill requests no environment variables or credentials (good), but it sends user input to https://onetotenvip.com/... — an undocumented third‑party service. Combined with the script's behavior (see TLS handling), this is disproportionate for users who may expect local or official‑API processing.
Persistence & Privilege
always:false and no install modifications. The skill does not request persistent privileges or modify other skills/config — normal and limited persistence.
What to consider before installing
Before installing, consider that this skill will send whatever text a user provides (keywords) to an external, undocumented domain (onetotenvip.com). The bundled Python script deliberately disables TLS certificate checks and omits SNI when making HTTPS connections — this is unusual and weakens authenticity/confidentiality guarantees (it can facilitate MitM or connection to nonstandard endpoints). If you plan to use it: (1) do not provide any sensitive or private inputs (passwords, PII, proprietary text); (2) ask the author for the API's owner, privacy policy, and why certificate verification/SNI are disabled; (3) consider running the skill in a network‑restricted sandbox or block its outbound requests until you validate the endpoint; (4) prefer a version that uses standard HTTPS libraries with proper certificate validation or an official/transparent data provider; (5) if you cannot validate the endpoint and purpose, treat the skill as potentially exfiltrative and avoid installing it on high‑trust/production agents.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b43yv25kh94weqn0x0exjcn84vvq0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments