内容工厂
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is mostly aligned with content creation, but it handles and exposes API/WeChat credentials in unsafe ways and includes public publishing capability that needs careful review.
Do not install or run the publishing/credential-check parts as-is. Remove any hardcoded secrets, rotate exposed keys, verify that the skill only uses your intended credentials, and require explicit approval before any WeChat publish action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your API keys could be exposed in the conversation transcript, terminal output, logs, or screenshots.
The setup check prints the full Tavily API key from the local credential store; the same pattern is shown for Brave. Verifying a credential should not reveal the secret value.
python3 -c "import json; print(json.load(open('/root/.openclaw/credentials/tavily.json'))['api_key'])"Change the check to verify file presence or make a test request without printing the key; mask all secret output.
Publishing or API calls could use an unintended WeChat account or leak real provider credentials included with the skill.
The documentation shows an actual-looking WeChat AppSecret and also describes hardcoded default credentials as a fallback.
WECHAT_APP_SECRET=a6800143c0...; 5. 硬编码默认值(最低优先级)仅作为后备方案
Remove all real/default secrets from the package, require user-supplied credentials only, and rotate any exposed keys.
The agent may be able to publish drafts or media to a WeChat account if credentials are configured.
The publishing step can mutate a WeChat Official Account/public content surface, but the artifacts do not show a clear final approval gate immediately before publishing.
3. 发布到微信公众号(包含封面图) ... python scripts/wechat_publish.py --html ... --cover ...
Require explicit user confirmation immediately before any publish/upload action and clearly distinguish draft generation from public posting.
Installation may fail or prompt ad-hoc package installation not reflected in the registry metadata.
The skill has a mandatory external binary/runtime dependency even though the registry says no required binaries and no install spec.
yt-dlp tool is required for YouTube content extraction ... Provide installation command: pip install yt-dlp
Declare yt-dlp, Python package dependencies, and required credentials in metadata or installation documentation.