Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md says the skill requires the user's OpenAI API key, but the implementation does not use OpenAI — it calls a third‑party MiniMax API with a hard-coded API key. The code also relies on Playwright/Chromium to render images, but the skill metadata declares no binaries or install steps. These mismatches suggest the runtime behavior is not what the user is told.
Instruction Scope
SKILL.md limits scope to generating copy and images, but the script sends the user's topic to an external API (https://api.minimaxi.com/...) using an embedded credential. The README does not disclose this network destination or that the developer-supplied key will be used instead of the user's key, so user data may be transmitted to an unexpected third party.
Install Mechanism
There is no install spec, yet the script imports and uses Playwright (and launches a browser), plus requests/httpx. Those are non-trivial dependencies (Playwright requires installing Chromium). The absence of declared installs or required binaries is a mismatch and will lead to runtime failures or implicit installs outside the user's control.
Credentials
The skill declares no required environment variables, but the code embeds a long-looking API key constant. This provides the skill author (or whoever controls that key) access to all prompts sent to the service. The SKILL.md telling users to provide an OpenAI key is misleading and gives a false sense of control over where data goes.
Persistence & Privilege
The skill does not request always:true or modify system/other-skill configs. However, because it will transmit user-supplied topics to an externally controlled API using an embedded credential, autonomous invocation increases the potential blast radius — prompts sent automatically could be collected by the third party.
What to consider before installing
Do not install or run this skill unless you trust the author and understand the risks. Specific concerns: (1) the script contains a hard-coded third-party API key and will send your topics to https://api.minimaxi.com rather than using an OpenAI key you provide; this can leak prompts and any sensitive content you include; (2) required runtime dependencies (Playwright/Chromium, httpx/requests) are not declared — the skill may fail or trigger large automatic installs; (3) the SKILL.md is inaccurate about where the generation happens. Recommended actions before using: ask the author to remove the embedded API key and instead use a documented environment variable under your control; require explicit disclosure of the external service and its privacy policy; add an install spec or dependency list for Playwright/Chromium; or review and run the script in a sandboxed environment. If you cannot verify these changes, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk975qjds3fdehr9g7srr2fakbh81yfqx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📱 Clawdis