Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Info Card
v1.0.1生成小红书风格信息卡/知识卡片/海报 PNG 图片。22 种模板:杂志封面(magazine-cover)、科技知识卡(tech-knowledge)、 学术报告(academic-report)、产品功能(product-feature)、品牌调性(brand-mood)、清单打卡(checklist)、金句卡...
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (generate Xiaohongshu-style info cards) match the provided assets: 22 HTML templates and a Python script that renders HTML → PNG. No unexpected environment variables, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs running scripts/generate_card.py with optional JSON data or a JSON file and to install Playwright/Chromium; this stays within the card-generation scope. It legitimately reads template data (-d / -f) and can fetch/display images via image_url fields. However, the main script content (generate_card.py) was not included in the reviewed excerpt, so I cannot confirm whether it performs additional actions (network calls beyond fetching images, subprocess execution, reading arbitrary files, or sending data to external endpoints).
Install Mechanism
No registry install spec is provided (instruction-only), which is low-risk for automated installs. The skill depends on the Playwright Python package; installing Playwright will download a Chromium binary (documented in SKILL.md). This is expected for a headless-rendering tool but does cause a relatively large browser download and adds runtime network activity during installation.
Credentials
The skill declares no required environment variables, credentials, or config paths. The ability to pass data via -d or -f is appropriate for templated image generation. There is no declared need for unrelated secrets.
Persistence & Privilege
Skill flags are conservative (always: false). Runtime behavior described is generation of PNG files to /tmp or a user-specified path and optional HTML output for debugging. Nothing in SKILL.md or the templates indicates permanent system modifications or cross-skill configuration changes.
Assessment
This package appears to do what it says: render HTML templates to PNG via Playwright. Before installing or running it, open and review scripts/generate_card.py yourself (or ask someone to) and specifically search for network calls, subprocess usage, or reads of unexpected files or environment variables. Avoid passing sensitive secrets into -d or JSON files (-f). Be aware that installing Playwright will download Chromium (large binary and network activity). If you will run this on a machine with sensitive data, consider running it in an isolated environment/container. If you want, I can scan the generate_card.py file for network endpoints, subprocess usage, or use of os.environ if you provide its contents.Like a lobster shell, security has layers — review code before you run it.
latestvk97cnx9e47kp8vbzh9b91r8jnh83vjcz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.