朋友圈4宫格卡片
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s creative purpose is coherent, but its script uses a hard-coded MiniMax API key and provider despite telling users it needs an OpenAI key.
Do not install this as-is unless you are comfortable with your prompts being sent to MiniMax through an embedded third-party API key. Prefer a version that removes the hard-coded key, declares its dependencies, and lets you configure your own documented provider credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may operate under an unknown MiniMax account, and the exposed key could be abused or revoked outside the user’s control.
The skill embeds a live-looking provider API key directly in the distributed code and then uses it as a Bearer token, rather than requiring a user-scoped credential.
MINIMAX_API_KEY = "sk-cp-qF0H7zzHFfGnFUYEu_UC9q77Gt51T16M698NWthaRh4KumX_..."
Remove the hard-coded secret, require the user to provide their own scoped API key through a declared environment variable, and document the provider and permissions.
A user may believe they are using OpenAI or their own configured key when their topic is actually sent to a different provider using a bundled credential.
The user-facing instructions say the skill needs an OpenAI API key, while the included script is configured for MiniMax with an embedded key. This mismatch can mislead users about which service handles their content.
生成文案需要 OpenAI API Key,如果没有配置请告诉我。
Update the documentation to accurately name the provider used, or change the implementation to match the documented OpenAI credential flow.
Any topic the user provides may be transmitted to an undisclosed external AI provider.
The script sends the user’s topic and generation prompt to an external MiniMax API endpoint, but the SKILL.md does not disclose MiniMax as the data recipient.
requests.post(f"{MINIMAX_BASE_URL}/messages", headers=headers, json=payload, timeout=60)Clearly disclose the external data flow, provider, and retention/privacy implications before sending user input.
The skill may fail or require additional package/browser setup that is not visible in the registry metadata.
The code depends on external Python packages and a browser automation runtime, but the supplied install metadata declares no install spec or required binaries.
import requests ... from playwright.sync_api import sync_playwright
Declare required dependencies and versions, and provide a clear install specification if this script is intended to run.