Baoyu Infographic
v1.76.1Generates professional infographics with 21 layout types and 20 visual styles. Analyzes content, recommends layout×style combinations, and generates publicat...
⭐ 1· 1.3k·41 current·41 all-time
byJim Liu 宝玉@jimliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (infographic generation, layout/style templates) matches the provided files (layout/style reference templates and prompts). There are no declared binaries, env vars, or external services required, which is proportionate for a templated, instruction-only generator.
Instruction Scope
The SKILL.md contains detailed runtime instructions and many local reference templates; it instructs the agent to read the entire source document and to check for an EXTEND.md in project/config locations. That behavior is reasonable for loading user preferences, but it means the agent will read user files and preserve source data verbatim. The SKILL.md also instructs stripping credentials/secrets before including outputs — this mitigates risk, but it relies on correct implementation by the agent. The 'preserve verbatim' rule combined with requiring secret-stripping is a subtle tension worth noting.
Install Mechanism
No install spec and no code files that would be written or executed on disk. Instruction-only skills have the lowest install risk and this skill follows that pattern.
Credentials
The skill requests no environment variables or credentials (good). It does instruct checking config files in the user's project directory and XDG_CONFIG_HOME / $HOME paths for EXTEND.md, which is reasonable for preference overrides but could expose local configuration or user-specific data. No unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system presence. disable-model-invocation is false (normal), allowing autonomous invocation — acceptable here and not flagged on its own. The skill does not instruct modifying other skills or system-wide settings.
Assessment
This skill is internally consistent and appears to do what it says: generate infographic prompts and structured content using local template references. Before installing or invoking it: (1) avoid pasting or pointing it at documents that contain secrets (API keys, passwords, private personal data), because the workflow reads source files verbatim (the skill says it will strip secrets, but that relies on correct behavior); (2) review any EXTEND.md or local config it might load (.baoyu-skills/..., ${XDG_CONFIG_HOME:-$HOME/.config}/baoyu-skills, etc.) so it doesn't inherit unexpected preferences or data; and (3) because the skill is instruction-only with no install or external endpoints, there is no obvious network exfiltration in the manifest, but you should still treat the agent's outputs as potentially capable of reproducing sensitive text if secret-stripping fails. If you need stronger guarantees, test on non-sensitive sample content or inspect the EXTEND.md and project files first.Like a lobster shell, security has layers — review code before you run it.
latestvk97avta2b7fkcfm62vvx9zzk1983cnd6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.