ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI智能写作助手Pro

v1.0.0

AI 智能写作助手 - 支持多平台内容创作,包括公众号、小红书、知乎、LinkedIn 等风格。提供 AI 查重、SEO 优化、改写润色等功能,一键生成高质量内容。

0· 67·0 current·0 all-time
by@ryan-wuxl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match a multi-platform writing assistant and the skill requests a Tavily API key (used for 'hot topic' search), which is coherent. However SKILL.md and README reference additional scripts (scripts/rewrite.mjs, scripts/seo.mjs) that are not present in the package—an incomplete implementation or mismatch between documentation and shipped files.
!
Instruction Scope
The runtime script (scripts/write.mjs) uses child_process.execSync to invoke a script at ~/.openclaw/skills/tavily-search/scripts/search.mjs. That executes arbitrary code from the user's skill directory and is not declared as a dependency. The script also passes the process environment to the child, exposing other environment variables and the TAVILY_API_KEY to the executed script. This execution surface is broader than a simple content generator and could be abused if the invoked script is untrusted or replaced.
Install Mechanism
No install spec or network downloads are present; the package is shipped with local JS files only. There is no evidence of remote archives or unusual installation steps.
!
Credentials
The skill only declares one required env var (TAVILY_API_KEY), which is reasonable for a 'hot topic' search feature. However, because the script spawns a child process and spreads process.env into the child's environment, any other environment secrets present on the host could be made available to the invoked script. The skill does not justify making arbitrary local skill code able to access the full environment.
Persistence & Privilege
The skill does not request 'always: true' or otherwise demand permanent/resident privileges and does not modify system-wide or other-skills' configuration. It only reads process.env and the HOME path to find another skill.
What to consider before installing
This skill largely behaves like a writing assistant, but it executes a local script at ~/.openclaw/skills/tavily-search/scripts/search.mjs with your environment available. Before installing or using it: 1) Verify the tavily-search script exists and is from a trusted source (inspect its contents). 2) Don't set sensitive env vars (or run in an environment with other secrets) until you confirm the invoked script is safe. 3) Ask the author why rewrite.mjs and seo.mjs are referenced but missing. 4) If you must run it, prefer an isolated/sandboxed environment (or container) and limit environment variables. If you cannot validate the invoked tavily-search code, treat the skill as potentially unsafe.
scripts/write.mjs:151
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971n8neg9smfwh1px9t4c5yb583866w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✍️ Clawdis
Binsnode
EnvTAVILY_API_KEY
Primary envTAVILY_API_KEY

Comments