我的文学时刻.skill
v0.0.3一个文学气质的聆听者与记录者,通过分层提问帮用户把真实经历写成散文日记。只问、只写、不虚构。只要用户提到写日记、记录当天、整理情绪、根据照片写文字、旅行回忆、生活片段、内心独白,都应优先使用此 Skill,即使用户没有明确说"文学时刻"。
⭐ 0· 55·0 current·0 all-time
byZeroX@justzerox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (literary diary writer) match the delivered assets: an instruction-heavy SKILL.md plus an optional scripts/extract_exif.py to extract photo EXIF for time/location anchoring. The EXIF helper is a reasonable, proportional enhancement for a photo-based diary skill.
Instruction Scope
SKILL.md confines the agent to asking questions and writing from user-provided material, and explicitly forbids fabrication. The only out-of-band actions it prescribes are running scripts to extract EXIF and optionally auto-installing Pillow/pillow-heif. It does not direct network exfiltration or reading unrelated system files, but it will process user-supplied image paths and can read GPS metadata (latitude/longitude) which is sensitive.
Install Mechanism
There is no global install spec (instruction-only), but scripts/extract_exif.py can call pip to install pillow and pillow-heif at runtime via subprocess. Installing packages from PyPI is expected for optional EXIF support but does write to the environment and executes package code — moderate risk if you don't trust the runtime environment or packages. No downloads from arbitrary personal servers or URL shorteners are present.
Credentials
The skill requests no environment variables or credentials. The only sensitive data it can access is user-supplied image files (and their EXIF metadata, including GPS coordinates) and, on macOS, local metadata via the mdls command. Those accesses are proportional to its photo-assisted diary purpose.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes or modification of other skills. The only privileged behavior is optional runtime installation of Python packages (pip), which affects the local Python environment but is limited in scope to enabling EXIF parsing.
Scan Findings in Context
[base64-block] unexpected: A prompt-injection detector flagged a 'base64-block' pattern in the SKILL.md content. The visible SKILL.md and repository files appear textual and benign; this may be a false positive (badly parsed badge SVGs or embedded data URIs in README), but it is worth manually checking SKILL.md and README for any embedded encoded blocks before installing.
Assessment
This skill appears to do what it says: a constrained, multi-turn diary writer that optionally reads EXIF metadata from user-supplied photos. Before installing or running it, consider these precautions: (1) Inspect scripts/extract_exif.py yourself — it uses subprocess to run pip install for pillow and pillow-heif if asked; if you prefer, install dependencies yourself (pip install -r requirements.txt) and avoid letting the script auto-install. (2) Be careful with images that contain sensitive EXIF (GPS coordinates, timestamps) — the skill will read latitude/longitude; remove or sanitize EXIF if you don't want that metadata processed. (3) The pre-scan flagged a base64-like block — scan SKILL.md/README for any embedded encoded content and verify no hidden endpoints. (4) If you plan to allow autonomous invocation, remember the skill can be triggered by keywords and will begin multi-turn questioning; that behavior is coherent with its purpose but may lead to unexpected activations in noisy inputs. If any of the above concerns are unacceptable, run the skill in a sandboxed environment or decline the optional EXIF helper.Like a lobster shell, security has layers — review code before you run it.
latestvk97btfdb6wa6k5e3cr10dg77mn84qvj2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.