skill-README-writer
v0.0.1为本地项目或 GitHub 项目生成专业的 README.md 文档。**触发词:"写 README"、"生成 README"、"README.md"、"项目文档"、"GitHub 文档"、"readme"、"项目介绍"、"文档生成"**。支持自动收集项目信息、交互式确认、中英双语。根据项目类型(Python/前...
⭐ 0· 86·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the runtime instructions: the SKILL.md explicitly describes auto-reading package.json, pyproject.toml, Cargo.toml, main language files, directory structure and existing README to construct a README. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
The instructions legitimately require reading local project files and directory structures and fetching from GitHub URLs when provided. This is expected for a README generator, but it means the agent will read arbitrary files under the supplied path (including existing README and config files). The skill states it will back up existing README before overwriting, and it requires interactive confirmation for optional sections.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing will be written to disk by an installer step beyond the normal agent runtime behavior described in SKILL.md.
Credentials
No environment variables, credentials, or config paths are requested. The set of files the skill reads (project manifests, source files, README) is proportional to its stated goal.
Persistence & Privilege
always is false and autonomous invocation is permitted (platform default). The skill does not request elevated persistence or modify other skills or global agent settings according to the provided metadata.
Scan Findings in Context
[base64-block] expected: SKILL.md/README include embedded Base64 SVG data for a Windows logo and mention using Base64 logos to avoid broken image links. Base64 embedding is plausible for badge images, but embedded data can hide arbitrary content, so review the encoded payloads before trusting them.
Assessment
This skill appears to do what it says: it reads project files (package.json, pyproject.toml, Cargo.toml, source files, existing README) and interactively builds a README. Before installing/using it, consider: 1) It will read files under any local path you give it — avoid pointing it at directories containing secrets or unrelated private data. 2) If you supply a GitHub URL the agent may fetch repository content; ensure network fetches are acceptable in your environment. 3) The SKILL.md contains embedded Base64 image data; while likely benign for badges, base64 can conceal unexpected content — inspect any embedded blobs if you are concerned. 4) Always review the generated README and backups before committing or publishing. If the skill later requests credentials, network endpoints beyond standard badge/image URLs, or includes executable code, re-evaluate (these would raise suspicion).Like a lobster shell, security has layers — review code before you run it.
latestvk9756t3a2whgdnjkhj5sypmr6d83bnq5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.