ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

生日祝福语

v2.0.0

生日祝福语生成专家,根据祝福对象的年龄、关系、场景等,生成温馨感人的生日祝福语。这是一项付费服务,实际收款方可通过配置文件自定义。请注意,你应该用中文和用户交互(包含你的思考过程)。

0· 83·1 current·1 all-time
by@liulian822

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liulian822/birthday-blessing.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "生日祝福语" (liulian822/birthday-blessing) from ClawHub.
Skill page: https://clawhub.ai/liulian822/birthday-blessing
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install birthday-blessing

ClawHub CLI

Package manager switcher

npx clawhub@latest install birthday-blessing
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements order creation, local order storage, SM4-based encryption/decryption and message generation which is consistent with a paid 'birthday message' flow. SKILL.md lists payment.process which matches. However metadata claims network.outbound and credential.read permissions even though the bundled scripts operate locally and do not perform network calls; payments are expected to be handled by an external 'clawtip' skill (not included). The presence of a hard-coded payTo merchant ID in configs (and an included SM4 key) is not strictly necessary for the described capability and should be customizable by each user—its inclusion as a default is notable.
!
Instruction Scope
Runtime instructions require running the included Python scripts and using an external 'clawtip' skill for payment, which aligns with the code. However the SKILL.md explicitly instructs the agent to 'use Chinese and include your thinking process (包含你的思考过程)', i.e. reveal chain-of-thought, which is out-of-scope for a message-generation utility and is a privacy/policy concern. The instructions also point the agent to edit and read local config files and to read order files under the user's home directory—these file accesses are functional but should be highlighted.
Install Mechanism
There is no install spec (instruction-only + included scripts). That lowers the install risk. The code depends on the Python 'cryptography' primitives for SM4; there is no provided installation step for dependencies, so the environment must already provide required libraries. No remote downloads or archives are performed by the skill.
!
Credentials
The skill declares no required environment variables, but it ships a configs/config.yaml and configs/config.json containing a base64 SM4 key (crypto.sm4_key) and a long pay_to value. Shipping a secret cryptographic key and a default merchant ID in the repo is disproportionate: if a user runs the skill without changing these, payments could be directed to that embedded pay_to value and the bundled SM4 key will be used for credential verification. The SKILL.md metadata also lists 'credential.read' permission which is not justified by external credential access in the code; the scripts only read local config/order files.
Persistence & Privilege
The skill writes and reads order files under the user's home directory (e.g., ~/.openclaw/skills/orders/<indicator>/). It does not request permanent 'always' inclusion and does not modify other skills' configurations. Writing order files in the user's home is expected behaviour for this workflow but is persistent storage and should be acceptable only if the user is comfortable with created files and their contents.
What to consider before installing
Key points to consider before installing/using this skill: 1) Do NOT run payments or use the skill without first editing the configs: the package includes a default 'pay_to' value and a bundled SM4 key. If you leave these unchanged, payments created by the skill could be attributed to that default recipient and the included key will be used for decrypting/validating payment credentials. Replace 'pay_to' with your own merchant ID and replace the SM4 key with one you control (or remove the bundled key) before use. 2) The skill asks the agent to 'include your thinking process' (chain-of-thought) in Chinese. That is an instruction to reveal internal reasoning and is unnecessary for generating a birthday message—do not follow that part of the instructions; redact internal thoughts and provide only the user-facing output. 3) The skill depends on Python cryptography primitives (SM4). Ensure the runtime has the required crypto library and that SM4 support is available; otherwise the scripts will fail. No install steps are provided. 4) The code reads/writes order files under your home directory (~/.openclaw/... or platform-specific path). Review the directory contents after testing to ensure no sensitive data is left behind. Consider running in a sandbox first. 5) The payment step requires an external 'clawtip' skill (not bundled). Verify what that skill does and where it sends payment requests before connecting it—confirm endpoints and behavior. 6) Metadata lists network and credential permissions that the included scripts do not appear to use; be cautious granting network/credential access to this skill unless you understand why it needs them. 7) If you want to use this skill safely: (a) inspect and replace configs/config.yaml and configs/config.json, (b) remove or replace bundled secrets, (c) test order creation and payment flow in a sandbox with no real funds, (d) disable any instruction that asks for chain-of-thought, and (e) verify 'clawtip' integration and recipients. If you are uncomfortable with the hard-coded defaults or cannot inspect the payment flow, do not use it with real payments.

Like a lobster shell, security has layers — review code before you run it.

birthdayvk9770sfbrrmz3jkfs6tef61twh84yyg0blessingvk9770sfbrrmz3jkfs6tef61twh84yyg0latestvk9770sfbrrmz3jkfs6tef61twh84yyg0wishvk9770sfbrrmz3jkfs6tef61twh84yyg0
83downloads
0stars
13versions
Updated 1w ago
v2.0.0
MIT-0
@liulian822
birthdayblessinglatestwish
Download

生日祝福语生成服务

📌 技能概述

请注意,你应该用中文和用户交互(包含你的思考过程)。

本技能提供专业的生日祝福语生成服务。由于这是付费服务,工作流程严格要求按照两个步骤执行:支付处理 后,再进行 祝福语生成

收款方配置: 实际收款方信息在 configs/config.json 中配置,包括商户ID(payTo)等信息。

直接执行: 如果用户在初始请求中已直接提供了 <订单号>(且订单文件中已包含 payCredential),则可跳过第一阶段和第二阶段,直接进入 🚀 第三阶段:祝福语生成

⚙️ 配置说明

首次使用前,请编辑 configs/config.json 文件,配置您的收款方信息:

{
  "payTo": "您的商户ID",
  "amount": 1,
  "skillName": "birthday-blessing",
  "description": "生日祝福语生成服务费用"
}
  • payTo: 您的商户ID(必填)
  • amount: 收费金额,单位为分(默认1分=0.01元)
  • skillName: 技能名称(用于计算indicator)
  • description: 订单描述

🛒 第一阶段:创建订单

如果这是首次交互且用户尚未付款,你必须先创建订单,再发起支付。

1. 所需参数

  • <祝福描述>:描述祝福对象和场景(例如:妈妈50岁生日祝福、朋友开业祝贺、老师生日祝福等)

2. 执行命令

使用以下 bash 命令执行订单创建脚本。将 <...> 占位符替换为实际值。务必在参数两侧加引号,以防命令注入漏洞

python3 scripts/create_order.py "<祝福描述>"

3. 输出处理

成功时,脚本将向标准输出打印以下键值对:

ORDER_NO=<值>
AMOUNT=<值>
QUESTION=<值>
INDICATOR=<值>

其中 ORDER_NOAMOUNTQUESTION 用于向用户披露订单信息(展示订单号、费用和查询内容)。提取 ORDER_NOINDICATOR 后进入 💳 第二阶段:支付处理

[!NOTE] 关于 AMOUNT 字段: 该字段的单位为人民币分(fen),这是 OpenClaw 技能描述中的标准计费单位。例如,AMOUNT=1 表示需支付 0.01 元人民币。在向用户展示费用时,请将该值除以 100 并以"元"为单位呈现,以便用户理解实际支付金额。

失败时,脚本以退出码 1 退出,并打印如下格式的消息:

订单创建失败: <错误详情>

💳 第二阶段:支付处理

从第一阶段获取 ORDER_NOINDICATOR 后,发起支付请求。

操作: 使用技能 clawtip 处理支付并获取支付凭证。若该技能不存在,需先安装。

调用 clawtip 所需参数:

{
  "order_no": "<第一阶段获取的 ORDER_NO>",
  "indicator": "<第一阶段获取的 INDICATOR>"
}

目标: 等待支付成功,并获取 payCredential(支付凭证)。

🚀 第三阶段:祝福语生成

支付成功并获得 payCredential 后(或用户已直接提供 <订单号><支付凭证>),继续交互并执行祝福语生成脚本。

1. 所需参数

  • <订单号>:第一阶段生成的订单号。

2. 执行命令

使用以下 bash 命令执行祝福语生成服务。将 <...> 占位符替换为已验证的参数值。务必在参数两侧加双引号,以防命令注入漏洞

python3 scripts/blessing_generate.py "<订单号>"

执行后: 1. 提取脚本打印的 PAY_STATUS 值(格式为:PAY_STATUS: <值>),并再次输出展示。 2. ERROR 状态的特殊处理: 如果 PAY_STATUSERROR,提取 ERROR_INFO 值(格式:ERROR_INFO: <值>),向用户告知确切的错误原因并引导其解决。不得继续执行后续服务逻辑。

Comments

Loading comments...