小红书图文创作
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The image workflow may fail or may require running extra, unreviewed code outside the supplied skill package.
The recommended KIE image workflow depends on helper scripts that are referenced by the instructions but are not present in the provided file manifest, leaving the executable provenance and required setup unclear.
python3 ${SKILL_DIR}/scripts/kie-callback-server.py & ... python3 ${SKILL_DIR}/scripts/kie-create-task.py ... python3 ${SKILL_DIR}/scripts/kie-wait-download.pyDo not use the KIE workflow until the missing helper scripts and required binaries are supplied, reviewed, and declared; otherwise prefer the included Seedream script.
A local service could remain running or reachable longer than intended while the tunnel is active.
This starts a local callback server in the background and exposes it through a public Cloudflare tunnel, but the artifacts do not document shutdown, origin checks, or scope limits.
python3 ${SKILL_DIR}/scripts/kie-callback-server.py &
cloudflared tunnel --url http://127.0.0.1:8787Run callback/tunnel commands only when necessary, stop both processes immediately after image generation, and document the callback server’s accepted routes and validation behavior.
Running the Seedream image path requires access to a provider API key and sends the cover prompt to the configured image API endpoint.
The included Seedream script reads a local API key and uses it as a bearer token for the image-generation API; this is purpose-aligned, with no hardcoded or logged key shown, but it is sensitive credential access.
CREDENTIALS_FILE = "/root/.openclaw/credentials/seedream.json" ... "Authorization": f"Bearer {API_KEY}"Store only the intended Seedream API key in that credential file, verify the endpoint, and avoid placing unrelated secrets there.