Smarter Content
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s writing features are coherent, but its helper scripts can pass article text and reference URLs into shell commands, creating a local command-execution risk.
Review or disable the JavaScript helpers before installing. In particular, avoid the automatic fact-check and style-mimic paths until shell execution is removed or safely sandboxed, and verify important factual claims manually before publishing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the fact-check step runs on content containing shell syntax, commands could execute on the user’s machine with the agent’s permissions.
Generated article content is interpolated into a shell command. Escaping quotes does not prevent shell substitutions such as $() or backticks, so normal article text or attacker-influenced text could trigger local command execution.
const cmd = `node ai-fact-checker/scripts/fact-check.js ... ${content.replace(...)} ...`; const result = execSync(cmd, ...);Replace shell-string execSync with execFile/spawn using an argument array, or call a reviewed fact-checker API directly. Do not pass article text through a shell.
Using the style-mimic feature with an untrusted or malformed URL could cause unintended local command execution or tool behavior.
The user-provided reference URL is embedded inside a shell-launched node command. If this path is runnable, a crafted URL can affect the shell command rather than being treated only as data.
const content = execSync(`node -e "... webFetch('${url}', { extractMode: 'markdown' }) ..."`, ...);Do not wrap webFetch in a shell command. Pass the URL as data to a normal function call, validate allowed URL schemes, and avoid node -e for user-controlled inputs.
Fact-checking may fail, or the runtime may execute whatever local helper matches the expected path, making provenance unclear.
The skill describes an external fact-checker as optional but also relies on it for the automatic workflow; the supplied package does not include or pin that helper.
`ai-fact-checker` - 用于写完自动核查事实准确性(推荐安装,可选但推荐)
Declare and pin external helpers, document exactly how they are installed, and avoid running relative-path helper scripts unless they are included and reviewed.
Users may over-trust generated articles and publish inaccurate content without independent review.
The documentation strongly implies factual accuracy is guaranteed, while the fact-checker is described elsewhere as optional and is implemented as a fallible helper.
内置 SEO 优化 + AI 事实核查保证准确性
Treat fact-checking as assistance, not a guarantee, and manually verify important claims before publishing.