Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

微信公众号文章创作

v1.0.0

微信公众号内容工作室 — 支持多来源权威搜索、多站点文章抓取、AI 改写、封面生成、智能排版发布的一站式工具

⭐ 1· 64·0 current·0 all-time

by@love254443233

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The code and SKILL.md implement search, multi-site scraping, merging, AI rewrite, cover generation and publishing — all coherent with the skill name/description. However the registry metadata claims no required env vars/config paths while the SKILL.md and code clearly expect LLM keys (OPENAI_API_KEY/OPENAI_BASE_URL), WeChat publish credentials (WECHAT_APP_ID/WECHAT_APP_SECRET) and a DashScope/cover key (DASHSCOPE_API_KEY). The missing declaration in metadata is an inconsistency.

Instruction Scope

Runtime instructions instruct the agent to run node scripts that scrape many external sites (via Brave/GitHub/HN/arXiv), extract and save article content to ~/WorkBuddy/<skill>/, call AI rewrite and cover-generation, and publish (via wenyan-cli or browser automation). The code auto-loads .env files from several locations (skill root, ~/.openclaw/.env, ~/.workbuddy/.env) and will populate process.env with their keys. The skill also imports child_process.execSync in places (smart-optimize.js) and can run browser automation — this gives it the ability to execute arbitrary shell commands and automate a browser session, which is expected for publishing but increases risk and should be reviewed.

ℹ

Install Mechanism

No platform install spec was provided (instruction-only from registry), but the package includes package.json/package-lock and the SKILL.md tells users to run `npm install`, `pip install ...` and `npm install -g @wenyan-md/cli`. These are standard but include a global npm install and pip installs — not inherently malicious but require user action and raise typical supply-chain considerations (npm/pip package integrity). There are no suspicious direct-download URLs or extract-from-URL installs in the package itself.

Credentials

SKILL.md and openclaw_env.js expect numerous sensitive env vars (OpenAI/LLM keys, WECHAT_APP_ID/SECRET, DASHSCOPE_API_KEY, proxies). The registry metadata did not declare any required env vars — a mismatch. Additionally loadOpenClawEnv will read multiple .env files in the user's home and skill root and will populate process.env with any keys found, potentially exposing unrelated secrets stored there. The code also recognizes many alternate key names (OPENROUTER_API_KEY, QWEN_API_KEY, etc.), increasing the range of secrets it may read.

ℹ

Persistence & Privilege

The skill does not set always:true in registry flags (so it is not force-included). However the included skill-config.json has autoExecute: true (a local config value) and SKILL.md enables autonomous invocation behavior by default (disable-model-invocation is false); combined with the fact the skill reads home .env files and can publish (including browser automation), this increases runtime scope. The skill does not appear to modify other skills or system-wide settings.

Scan Findings in Context

[system-prompt-override] unexpected: Scanner flagged a system-prompt-override pattern in SKILL.md. The skill's YAML header includes 'allowed-tools' and runtime instructions; any attempts to inject or override agent prompts should be reviewed. This finding is unexpected for a content-scraping/publishing helper and worth auditing in the SKILL.md and code for prompt-injection text.

What to consider before installing

What to consider before installing: - Metadata mismatch: The registry lists no required credentials, but the SKILL.md and code require sensitive keys (OPENAI_API_KEY, WECHAT_APP_ID/SECRET, DASHSCOPE_API_KEY, proxy settings). Treat that as an inconsistency — confirm with the author before providing secrets. - .env loading: The skill auto-loads .env files from the skill root and from your home (~/.openclaw/.env and ~/.workbuddy/.env). That means any secrets in those files will be read into the process. If you keep unrelated credentials in those files, run the skill in a controlled environment or set OPENCLAW_ENV_FILE to point to a dedicated .env. - Review and isolate: Inspect the included scripts (they are present in the package). Because the skill can execute shell commands (execSync), run browser automation, and perform network I/O, you should: run it in an isolated VM/container, or a throwaway account; audit calls that perform exec or external requests (especially publish_browser and smart-optimize); and avoid global npm installs — prefer local install. - Limit privileges: Do not expose production WeChat or other high-value credentials until you've validated behavior. Use test accounts or API keys with limited permissions. - Pay attention to third-party installs: The SKILL.md instructs npm/pip installs (including a global npm package). Prefer to pin and inspect those packages or install them in a virtualenv/local node_modules rather than globally. - Prompt-injection signal: The pre-scan flagged a possible system-prompt-override pattern in SKILL.md. Review SKILL.md for any content that attempts to influence agent/system prompts or to instruct the agent beyond the declared commands. If you want, I can (a) scan the specific files that import execSync and any code paths that perform network POSTs or remote uploads, (b) list exact env keys the skill will read, or (c) suggest a minimal safe run plan (container commands and environment overrides) to test it without exposing your real credentials.

✗

scripts/extractor/multi_site_bridge.js:26