Generate News Article
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s article-generation purpose is coherent, but its script embeds a SerpAPI key and unsafely injects user arguments into generated Python code.
Review or modify the script before installing. At minimum, remove the hardcoded SerpAPI key, declare and use your own SERPAPI_API_KEY, fix the unsafe Python heredoc argument handling, and replace the hardcoded /Users/lihaijian workspace paths with paths resolved for your own OpenClaw environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill with maliciously crafted input could execute unintended local code under the user’s account.
The script takes user-controlled arguments and expands them into Python source inside an unquoted heredoc. A crafted keyword or result count containing quotes/newlines could change the Python code that is executed.
KEYWORD="${1:-AI助手}"
NUM_RESULTS="${2:-5}"
...
python3 << PYTHON_SCRIPT
...
keyword = "$KEYWORD"
num_articles = int("$NUM_RESULTS")Do not interpolate shell variables into Python source. Pass arguments through environment variables, argv, or a JSON file; quote the heredoc delimiter; and validate that NUM_RESULTS is a safe integer.
Users may unknowingly run searches through a shared or publisher-controlled SerpAPI account, creating billing, audit, privacy, and credential-exposure risk.
The script embeds and forces a SerpAPI API key, while the documentation says users should set SERPAPI_API_KEY themselves and the registry declares no required credential.
SERPAPI_API_KEY="9cda299d...b16796" python3 "$SERPAPI_SCRIPT" google "$KEYWORD" --num "$NUM_RESULTS"
Remove the hardcoded key, require the user to provide SERPAPI_API_KEY through the normal credential mechanism, and declare the credential requirement in metadata.
The skill may fail on most systems or run whichever local file exists at that hardcoded path.
The script executes a SerpAPI helper from a fixed absolute workspace path instead of resolving a declared, versioned dependency from the current installation.
SERPAPI_SCRIPT="/Users/lihaijian/.openclaw/workspace-wechat-publisher/skills/serpapi/scripts/serp.py"
Resolve the SerpAPI dependency through OpenClaw’s normal skill mechanism, avoid user-specific absolute paths, and pin or clearly declare the dependency version.