Skillv1.0.0

ClawScan security

小红书图文生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 10:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (generate Xiaohongshu-style HTML + images), but there are a few inconsistencies and risky choices (hardcoded filesystem paths, bundled Puppeteer dependency, use of broad tools) that merit caution before installing.
Guidance: This skill appears to do what its description says (generate Xiaohongshu-style HTML and images), but take precautions before installing or running it: - Inspect and remove or modify temp-convert.js before running. It contains hardcoded absolute Windows paths to a user's .openclaw workspace; running it as-is will read/write those locations and launch Puppeteer. - Expect npm install (or equivalent) to fetch Puppeteer and a Chromium binary (large download). If you do not want Chromium downloaded or executed, avoid installing or run in an isolated environment. - The skill requests filesystem, shell, and browser tool usage — necessary for rendering HTML to images but capable of broad actions. Only enable these tool permissions if you trust the code and run it with least privilege (non-admin account, sandboxed environment). - Verify the referenced peer skill html-pages-to-images (file:../html-pages-to-images). If that dependency is not present or is replaced, behavior may change. - If you plan to use the skill to fetch hot-trend data, prefer providing the hotData from trusted sources or from separate vetted skills; the SKILL.md suggests scraping public platforms but the package does not include scrapers for those platforms. - Consider running the skill in a disposable VM/container or reviewing the code and removing any hardcoded paths, then running tests on non-sensitive directories first. If you want, I can point out exact lines in temp-convert.js to change, suggest safer defaults for paths, or produce a sanitized version of the script that accepts paths via parameters instead of hardcoding them.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and the code (index.js + temp-convert.js) consistently implement HTML + image generation for Xiaohongshu-style posts. Declared dependency on an html-pages-to-images skill and inclusion of puppeteer in package.json are coherent with the stated goal of converting HTML pages to images.
Instruction Scope: concernSKILL.md instructs the agent to fetch hot topics from external platforms (微博/知乎/脉脉) and to call other skills (maimai-fetch, html-pages-to-images). The included code itself does not perform web scraping of those platforms (it expects hotData passed in), but temp-convert.js contains a hardcoded absolute Windows path to a workspace HTML file and images directory. That test script will read and write specific user-workspace locations and launch Puppeteer. The SKILL.md also grants browser/shell/filesystem tools — appropriate for the job but broad: these enable network access and arbitrary filesystem reads/writes if the agent follows them.
Install Mechanism: noteThere is no install spec provided. package.json lists puppeteer (which downloads Chromium on install) and a peerDependency pointing to a local ../html-pages-to-images skill. No remote or obfuscated downloads are present in the repo. Lack of an install step means the platform or user will need to run npm install to satisfy puppeteer, which pulls a large Chromium binary.
Credentials: noteThe skill does not request environment variables or external credentials (requires.env empty). However it requests use of filesystem, shell, and browser tools — reasonable for generating and rendering HTML, but these are high-privilege capabilities. The hardcoded absolute paths in temp-convert.js target the user's OpenClaw workspace (C:\Users\Administrator\.openclaw...), which is disproportionate and risky (may read or overwrite files in that location).
Persistence & Privilege: okSkill is not always-enabled and is user-invocable; it does not request persistent platform privileges in skill.json. The code does not appear to modify other skills or global agent configuration.