Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi Platform Publisher Agent
v1.0.0多平台发布智能体。当需要在各平台发布书籍、管理发布计划、处理封面和格式时触发本技能。用于:(1) 将小说内容发布到Amazon KDP/番茄/起点/晋江等平台 (2) 适配各平台格式和封面要求 (3) 管理定时发布和更新节奏 (4) 处理滑块验证码 (5) 记录发布状态和回传数据
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes actions that legitimately require platform credentials, automation toolkits (Playwright, PyAutoGUI, UiPath), and third‑party captcha solver API keys. The registry metadata declares none of these as required binaries, env vars, or install steps — a mismatch between claimed capability and requested resources.
Instruction Scope
Instructions tell the agent to log into publisher platforms, perform web and desktop automation, call captcha‑solving services, and return platform IDs/status. The document does not specify how credentials are supplied/secured, where returned data is sent/stored, or any constraints on transmitting sensitive data — leaving room for credential use/exfiltration.
Install Mechanism
This is an instruction‑only skill (no install spec, no code). That limits on‑disk installation risk, but also creates an operational inconsistency: the SKILL.md explicitly depends on several libraries/tools and external services but provides no installation or runtime dependency declarations.
Credentials
The workflow clearly requires access to platform accounts and likely API keys for captcha services and possibly RPA licenses. Yet requires.env and primary credential fields are empty. Missing declared credentials is disproportionate and obscures what secrets the skill will need or access.
Persistence & Privilege
always:false and no install actions are declared. The skill does not request forced persistence in the manifest. Autonomous invocation is allowed by default but is not combined here with declared broad credential access in the manifest (though the SKILL.md implies such needs).
What to consider before installing
Before installing or enabling this skill, ask the publisher/author for the following clarifications: (1) Which exact binaries and libraries must be present (Playwright, PyAutoGUI, UiPath, etc.) and who installs them? (2) Exactly which environment variables or credential stores will be used for platform logins and captcha API keys, and how are those secrets supplied and protected? (3) Where does the skill send its "回传" data (internal system, external endpoint, who can read it)? (4) Which captcha‑solving vendor(s) will be used and do you have legal/ToS approval to use them for each platform? (5) Provide an explicit installation spec and a minimal permission/security checklist (network endpoints, logs, and storage locations).
If you cannot get concrete answers and a manifest update that declares required credentials and install steps, avoid enabling this skill or run it in a tightly sandboxed environment with limited network/credential access and human approval before any platform login or publish action.Like a lobster shell, security has layers — review code before you run it.
latestvk970pjj8c4t7cfzazttbg00wsd8436zn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.