Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI内容创作助手
v1.0.0AI 智能写作助手 - 支持多平台内容创作,包括公众号、小红书、知乎、LinkedIn 等风格。提供 AI 查重、SEO 优化、改写润色等功能,一键生成高质量内容。
⭐ 0· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description ask for hot-topic search and content generation; requiring node and a Tavily API key is coherent. However, the runtime code execs a script at ~/.openclaw/skills/tavily-search/scripts/search.mjs — this implies a dependency on a separate local 'tavily-search' skill that is not declared in metadata or SKILL.md. That implicit dependency is unexpected and deserves explanation.
Instruction Scope
SKILL.md describes only write/rewrite/seo workflows, but only write.mjs is bundled; rewrite.mjs and seo.mjs are referenced but missing. The bundled write.mjs uses child_process.execSync to run a node script located under the user's HOME .openclaw/skills path (an external script) and constructs a shell command including the user-provided topic. Executing another skill's script and building shell commands from user input create real risks (unexpected code execution and shell injection).
Install Mechanism
No install spec (instruction-only plus included script) — lowest install risk. Nothing is downloaded from remote URLs or installed automatically by this package.
Credentials
Only TAVILY_API_KEY is required and is justified by the advertised '热点搜索' feature. The script also depends on standard env like HOME and deliberately passes TAVILY_API_KEY into the subprocess. This is plausible, but the skill will hand that API key to an external script (tavily-search) that is not part of this package — review that script before granting the key.
Persistence & Privilege
always is false; the skill does not request elevated or persistent system-wide privileges in its manifest. It does execute code from another skill's directory but does not appear to modify other skills or system configuration.
What to consider before installing
This skill mostly does what it claims, but there are several red flags to review before installing or running it: 1) The bundled write.mjs invokes an external script at ~/.openclaw/skills/tavily-search/scripts/search.mjs — ensure that file exists and is from a trusted source (inspect it). 2) The README/SKILL.md mention rewrite.mjs and seo.mjs but those files are not included; confirm the package is complete. 3) write.mjs runs a shell command via execSync and interpolates the topic into the command string; maliciously crafted topics could lead to shell injection — avoid running with untrusted input or run in a restricted sandbox. 4) The skill passes your TAVILY_API_KEY to the external script — limit the key's scope if possible and only provide it if you trust the tavily-search implementation. 5) If you cannot inspect the referenced tavily-search script or verify the repository origin, run the skill in an isolated environment (container/VM) or reject installation. Reviewing the missing helper scripts and the external tavily-search script would likely change this assessment to benign if they are legitimate and safe.scripts/write.mjs:151
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971mjbmm9ej3vrbccgfhehff983af34
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✍️ Clawdis
Binsnode
EnvTAVILY_API_KEY
Primary envTAVILY_API_KEY