AI生成
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The provided artifacts match an ad-creative generation/task-management skill and show no evidence of malicious behavior, with only low-risk notes around task data visibility and request limits.
This skill appears safe to install based on the provided artifacts. Before use, avoid putting confidential information into generation prompts, and consider adding limits and scoping if it will be used by multiple users or for high-volume generation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Very large generation requests could consume extra local resources, and if later connected to real model providers, could create cost or quota impact.
The command exposes a user-controlled generation count. The visible implementation defaults to 4 and only creates mock in-memory results, but it does not show an explicit maximum or approval threshold for large requests.
count: { type: "number", help: "生成数量 (默认4)", default: 4 }Add validation such as a maximum count, clear user confirmation for large batches, and cancellation checks before completing queued work.
Prompts and generation parameters may remain visible within the running skill instance through task status or listing commands.
The skill stores task prompts, params, and results in memory and provides status/list access to task data. This is aligned with task management, but prompts may contain private campaign details.
private tasks: Map<string, GenerationTask> = new Map();
Do not include secrets in prompts; implement per-user or per-session task scoping, expiration, and redaction for sensitive prompt fields if the skill is used in shared environments.