ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

自媒体内容创作大师

v1.0.0

部署内容创作Agent团队(墨白主编+探风选题+锦书文案),平台无关的内容生产核心。使用 /content-creation 触发,交互式引导配置品牌信息并自动部署。

0· 137·2 current·2 all-time
by@little-ke
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description promise to deploy a 3-person content-creation agent team and the repository contains templates and a Node.js setup script that copies templates and registers agents via the openclaw CLI — this is coherent with the stated purpose. No unrelated credentials, binaries, or external packages are requested.
!
Instruction Scope
SKILL.md describes an interactive, three-round user prompt flow that collects 12 fields and then writes those answers into USER.md files (template substitution). The provided scripts/setup.cjs, however, does not implement interactive prompting or placeholder substitution: it merely copies markdown templates into ~/.openclaw/workspace-content-creation/<agent> and runs 'openclaw agents add'. Templates also reference extra placeholders (e.g., current_followers, growth_target) and some bootstraps mention 5 agents while the script deploys 3 — these inconsistencies mean the README/instructions and the runnable script do not fully match.
Install Mechanism
No remote downloads or package installs. The included script is a local Node.js script that uses fs and child_process.execSync to copy files and call the local 'openclaw' CLI. There are no external URLs, no archives to extract, and no package registry installs in the skill bundle.
Credentials
The skill requests no environment variables or secrets. The script respects an optional OPENCLAW_HOME environment variable (falling back to ~/.openclaw) — reasonable for an OpenClaw-integrating tool. It does create files under the user's home directory (~/.openclaw), which is expected for agent workspaces but worth noting.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It will create a workspace directory under the user's OpenClaw home and register agents via the openclaw CLI (persistent changes within the OpenClaw ecosystem). This behavior is consistent with the stated purpose but will modify ~/.openclaw and OpenClaw's agent registry.
What to consider before installing
What to consider before installing: - Functional mismatch: SKILL.md promises interactive collection of user answers and placeholder substitution into USER.md files, but scripts/setup.cjs only copies templates and runs 'openclaw agents add' — it does not prompt the user or replace placeholders. If you expect the interactive flow, you'll need to run the prompts elsewhere or modify the script to perform replacements. - Template inconsistencies: Some templates include placeholders not collected by the SKILL.md prompts (e.g., current_followers, growth_target). Some BOOTSTRAP.md mentions a 5-person team although the script deploys 3 agents. Review and edit templates to avoid incomplete or misleading files. - File and CLI changes: The script will create ~/.openclaw/workspace-content-creation and call the local 'openclaw' CLI to register agents. Back up any existing ~/.openclaw state before running. Confirm that the 'openclaw' binary you have is the expected, trusted CLI (the script executes shell commands via execSync). - No obvious exfiltration or remote download: There are no external URLs or hidden network endpoints in the bundle, and it doesn't request secrets. However, the deployed agents/templates instruct future agent instances to perform web searches and to write memory files under the workspace; consider whether you are comfortable with those agents having read/write access to files under ~/.openclaw. - Safe testing recommendations: Run the script in a controlled environment first (non-production account or temporary user), inspect the copied template files before letting any agent run autonomously, and consider manually performing the interactive prompt-and-template-substitution step rather than relying on the provided script. If you want the full interactive behavior, update or wrap scripts/setup.cjs to implement the prompt+templating logic or rely on the platform's agent runtime to collect and write the USER.md fields as described. If you want, I can point out exact lines in scripts/setup.cjs to change to implement interactive prompting and placeholder substitution, or produce a safe 'dry-run' variant that only prints actions without writing files or registering agents.
scripts/setup.cjs:26
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d8dahpen2p1xaspntz9p1wh83cwz6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments