Visnote Image Creator
v0.1.0This skill should be used when generating XiaoHongShu (小红书) style images. The AI analyzes user requirements, reads template registry to select appropriate te...
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description align with what it actually does: it selects templates from a remote VisNote registry and drives a headless browser to generate images. One minor inconsistency: the registry metadata lists no required config paths or env vars, but both SKILL.md and scripts/generate-image.mjs require a local config.json containing an apikey. This is expected for the described functionality but the manifest did not declare it.
Instruction Scope
SKILL.md directs the agent to read config.json for an apikey, fetch templates from the VisNote API, and use Playwright-driven automation to upload local images and save an output PNG. The instructions do not ask for unrelated system files or credentials. They do instruct the agent to read local image files (if provided) and config.json, which is coherent with the skill's purpose.
Install Mechanism
There is no install spec (instruction-only skill) but package.json and claw.config list playwright as a dependency. The code requires installing Playwright and a Chromium browser via standard npm/npx commands; no downloads from suspicious URLs or obfuscated installers are present.
Credentials
The skill legitimately needs an API key for the VisNote service, provided via a local config.json. However, the skill metadata did not declare required config paths or environment variables; the agent will look for config.json in the project root. The script also constructs a URL that includes the API key as a query parameter when opening the editor (this is functional but has security implications—see guidance). No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on inclusion (always:false) and does not modify other skills or system-wide settings. It runs on demand and uses local filesystem access to read config.json and optional image files and to write the output image.
Assessment
This skill appears to do what it says, but check these before installing:
- Provide the API key only if you trust https://vis-note.netlify.app. The script expects a config.json in the project root (not an environment variable) — the package metadata did not declare this, so you must create the file yourself.
- The script includes your API key in the editor URL query string when it opens the site; query parameters can appear in logs or referer headers, so treat the key as sensitive and rotate it if exposed.
- The skill will read any local image paths you pass (and will write the output image). Only provide files you intend to upload and avoid pointing it at sensitive files.
- It requires Playwright and a Chromium browser (npm install playwright; npx playwright install chromium). Running headless browsers can download browser binaries — review and approve those steps.
- Verify the VisNote API endpoints and the project's GitHub/homepage (URLs in the README and claw.config) independently to confirm authenticity before providing your API key.
- If you need stricter controls, consider running the generate script locally rather than granting an autonomous agent broad filesystem/network access.Like a lobster shell, security has layers — review code before you run it.
latestvk9777jb8rm44sdts6dzwph3wts846prh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.