skill-my-prose-poem
v0.0.1一个文学气质的聆听者与记录者,通过分层提问帮用户把真实经历写成散文日记。只问、只写、不虚构。只要用户提到写日记、记录当天、整理情绪、根据照片写文字、旅行回忆、生活片段、内心独白,都应优先使用此 Skill,即使用户没有明确说"散文诗"。
⭐ 0· 70·0 current·0 all-time
byZeroX@justzerox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the behavior: the skill is a writing assistant that optionally reads photo EXIF to anchor time/place. The only code file (scripts/extract_exif.py) and requirements (pillow) directly support that feature — nothing else (no cloud SDKs, no unrelated binaries or credentials) is requested.
Instruction Scope
SKILL.md confines runtime behavior to multi‑round questioning, writing rules, and an optional local EXIF extraction step. It does not instruct reading system config, unrelated files, or exfiltrating data. The only external action described is running the provided Python script on images or asking the user for missing metadata.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk. The extract_exif.py can auto-install Pillow by invoking pip at runtime (subprocess.check_call). Auto‑installing dependencies at runtime requires network access and modifies the environment; this is expected for optional EXIF support but is the main operational risk to be aware of.
Credentials
The skill declares no required environment variables or credentials. The script does read an optional env var (MY_PROSE_POEM_AUTO_INSTALL) to enable auto-install behavior, but that env var is not declared in metadata — a minor mismatch. No secrets or unrelated tokens are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request persistent system privileges, modify other skills, or claim to write global agent configuration.
Scan Findings in Context
[base64-block] expected: A base64 data URI appears in the README badges (image/svg data URI). This is a benign README artifact and not an instruction to exfiltrate data or perform prompt injection in runtime behavior.
Assessment
This skill appears internally consistent for a 'prose diary' assistant. Things to consider before installing: (1) optional EXIF support will run a local Python script and may attempt to auto-install the Pillow package via pip (runtime network access and package installation) — you can disable auto-install and let the skill ask you for photo timestamps instead; (2) the script checks the MY_PROSE_POEM_AUTO_INSTALL env var (not listed in metadata) to enable auto-install — if you want to avoid runtime installs, ensure that env var is unset and do not pass the --auto-install flag; (3) the repository contains only documentation and a small helper script and does not request any credentials or external endpoints. If you are comfortable allowing optional local package installation, the skill is coherent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk9754mag99y0fw54fkc14c72ds84bdrz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.