Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Book Writer
v1.0.0使用AI辅助写作的OpenClaw技能,可以根据提示词生成书籍大纲并逐级扩写内容,支持添加公式、图表、代码等元素。适用于学术著作、技术书籍、小说等多种类型的创作。
⭐ 0· 776·3 current·3 all-time
by@pyjhhh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md match the stated purpose (generate outlines, expand chapters, insert formulas/figures, search materials). Required capabilities (OpenAI for generation, Google Custom Search for material lookup) are coherent with the described features.
Instruction Scope
SKILL.md and scripts instruct the runtime to use OPENAI_API_KEY, GOOGLE_CSE_ID and GOOGLE_API_KEY; generate and write book files to generated_books; create temp and logs directories; and perform network requests to Google and OpenAI. These are expected for the feature set, but SKILL.md and scripts also assume certain local paths (logs/, temp_files/, generated_books/, assets/templates) and the test script checks for assets/templates which is not present in the manifest — the instructions have scope assumptions that don't match the packaged files.
Install Mechanism
No formal install spec in registry, but an included install_dependencies.py script will pip install packages from PyPI (openai, requests, pyyaml, etc.). That is a normal install method but requires network access and will modify the Python environment; there is no download from unknown servers or archives.
Credentials
Registry metadata declares no required environment variables, yet SKILL.md and multiple scripts require and check OPENAI_API_KEY, GOOGLE_CSE_ID and GOOGLE_API_KEY. Requesting exactly those three keys is proportionate to the stated functionality, but the metadata omission is inconsistent and could mislead users into granting keys without realizing they are required.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It writes logs and output files in its own directories (generated_books, temp_files, logs) which is expected for this type of tool.
What to consider before installing
This package mostly does what its description says (uses OpenAI for text generation and Google CSE for finding materials), but there are mismatches you should be aware of:
- The registry claims no required env vars and 'instruction-only', but the files and SKILL.md clearly require OPENAI_API_KEY, GOOGLE_CSE_ID and GOOGLE_API_KEY and include Python scripts and an installer. Treat it as a code-based skill, not instruction-only.
- The included install script will pip install packages from PyPI (network activity and changes to your Python environment). Run it in a virtualenv or isolated environment if you proceed.
- The skill will create output, temp, and logs directories and write files (generated_books, temp_files, logs/book_writer.log). If you are concerned about file writes, run it in a disposable directory or container.
- Verify and limit the API keys you provide (use least-privilege keys, billing/quotas, and revoke if unsure). Consider using separate accounts or API quotas for testing.
- There are a few code issues (e.g., one loader references yaml in material_searcher without importing yaml) — the package has bugs and may fail in places; review the code before trusting with sensitive keys.
- If you require higher assurance, request the skill author/source or run the scripts in an isolated VM/container and inspect network traffic during a test run.Like a lobster shell, security has layers — review code before you run it.
latestvk97437re1wwbmqqgqvzsyh317981bhc2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.