✓
Purpose & Capability
Name/description match the implementation: the skill calls an LLM-compatible API to generate listing drafts and includes an optional image-generation module that calls external image APIs. Requiring an LLM API key (LISTING_API_KEY / OPENAI_API_KEY) and optional image keys (COZE_TOKEN / MIHE_KEY / COZE_WORKFLOW_ID) is coherent with the stated purpose.
!
Instruction Scope
SKILL.md is simple and claims only listing + optional image generation, but the code goes further: the image module attempts to detect a runtime recipient via many FEISHU-related env vars and also probes tmux's openclaw pane (runs 'tmux capture-pane') to extract sender/chat IDs. That behavior reads local terminal state and potentially chat metadata beyond what's described in the SKILL.md.
✓
Install Mechanism
There is no install spec (instruction-only style plus code shipped). No remote downloads or archive extraction are performed by the skill itself. The skill will create a .env in its own directory if missing and write a runtime.log file — normal for a local tool but worth noting.
!
Credentials
The skill reads multiple API key env vars (LISTING_API_KEY, OPENAI_API_KEY, MOONSHOT_API_KEY, KIMI_API_KEY) and many FEISHU/OPENCLAW environment names to determine a recipient. Reading your LLM API key and optional image API keys is expected, but probing unrelated env names and collecting Feishu IDs increases the amount of sensitive data the skill can access and use to send outputs.
ℹ
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes a .env template into its own skill directory and appends to a runtime.log there. However it spawns subprocesses (tmux) and references a Feishu helper in TOOLBOX_ROOT, which could access other local tooling; these are not permanent privileges but are system interactions beyond simple LLM calls.
Scan Findings in Context
[http_call_openai_compatible] expected: skill.py posts chat/completions to LISTING_BASE_URL/OPENAI_BASE_URL with an API key — expected for a listing generator that uses an LLM.
[http_call_coze_image_api] expected: modules/coze_generate_image.py calls COZE_API_URL and uses COZE_TOKEN/WORKFLOW_ID for image generation — expected for optional automatic image generation.
[subprocess_tmux_capture] unexpected: The image module runs 'tmux capture-pane -pt openclaw' to parse recent OpenClaw messages and extract sender/chat IDs. This reads terminal session contents and is outside the stated listing-generation purpose; treat as unexpected.
[reads_many_feishu_envs] unexpected: The image module enumerates many FEISHU/OPENCLAW env var names to auto-detect a recipient. While sending images to Feishu might be useful, auto-probing many env variables is broader access than the SKILL.md describes.
[writes_env_template_and_runtime_log] expected: The code will create a .env (from ENV_TEMPLATE.txt) and append to a runtime.log in the module directory — reasonable for local configuration and logs, but review contents before sharing.
What to consider before installing
This skill largely does what it says (uses an LLM to draft Amazon listings and can call image APIs), but it also probes local environment and terminal state to auto-detect Feishu recipients and may send images via a helper script. Before installing: 1) Review the code (modules/coze_generate_image.py and skill.py) yourself or with a colleague. 2) Don’t run it with your production API keys until you’re comfortable — use a limited or test key. 3) If you don’t need automatic image sending, remove/disable the modules/coze_generate_image.py or clear FEISHU/OPENCLAW env vars. 4) Be aware it will create a .env in the skill directory and write runtime.log there. 5) If you want higher assurance, run the skill in an isolated environment or container and monitor network calls to verify which external endpoints are contacted.
