ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Beauty

v1.0.10

每日美图推送。当用户发送"今日美图"、"美图"、"看美女"等关键词时触发。从小红书搜索真人美女博主,返回1位博主的9张全身照美图。自动排除壁纸号、AI账号、营销号。

0· 225·2 current·2 all-time
by@lorexxar

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lorexxar/daily-beauty.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Daily Beauty" (lorexxar/daily-beauty) from ClawHub.
Skill page: https://clawhub.ai/lorexxar/daily-beauty
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install daily-beauty

ClawHub CLI

Package manager switcher

npx clawhub@latest install daily-beauty
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description promise (search Xiaohongshu and return 9 full-body photos) matches the code behavior. However the code relies on a local MCP service at http://localhost:18060 and on the ImageMagick 'convert' binary, neither of which are documented in SKILL.md or declared as required — that is an unexplained dependency and misalignment.
Instruction Scope
SKILL.md tells the agent to run the Python script and describes data files and output format. It does not mention contacting a local MCP RPC endpoint or the need to have a local proxy/service running. The script makes HTTP requests (to localhost and to Xiaohongshu CDN URLs), downloads files into the user's home directory (~/.openclaw/workspace/img), and invokes subprocess.convert — these network and filesystem actions are expected for the stated purpose but the absence of documentation about the local MCP endpoint widens the scope beyond what the README describes.
Install Mechanism
No install spec (instruction-only) is low risk by itself. But the script has undeclared runtime dependencies: Python 'requests' library and ImageMagick 'convert' binary; there is no install guidance to ensure these are present. That omission can cause unexpected failures or allow surprising behavior if a malicious 'convert' binary is present on PATH.
Credentials
The skill does not request environment variables, credentials, or external API keys. It only reads/writes local data files bundled with the skill and saves images under the user's home. This is proportionate to its described function. Caveat: it communicates with a local MCP service (localhost:18060) — the script assumes that service is trusted but does not declare it; any sensitive data accessible through that local service could be reached.
Persistence & Privilege
The skill does not request forced inclusion (always:false) and does not modify other skills or system-wide settings. It writes only to its own data files and to an img directory under the user's OpenClaw workspace, which is consistent with its function.
What to consider before installing
Before installing or running this skill: (1) Inspect or run the full script in a safe sandbox — the provided snippet calls a local service at http://localhost:18060 (MCP) and that endpoint is not documented in SKILL.md; confirm what MCP is and that you trust it. (2) Ensure required runtime dependencies are present: Python 'requests' and ImageMagick 'convert' (the script invokes convert via subprocess). (3) Be aware the skill will download remote images into ~/.openclaw/workspace/img and update local JSON files — check disk usage, copyright and privacy implications. (4) If you do not run a legitimate local MCP service, the script may fail or interact with an unexpected local service; only run if you control/understand that service. (5) If you want higher assurance, ask the author to (a) document the MCP requirement and how MCP is secured, (b) declare required binaries/dependencies in SKILL.md, and (c) remove or clearly document any external network endpoints the script will contact.

Like a lobster shell, security has layers — review code before you run it.

latestvk975t2cygybhyy6s2jgk7bqm9984stpb
225downloads
0stars
11versions
Updated 2w ago
v1.0.10
MIT-0
@lorexxar
latest
Download

每日美图

从小红书获取真人美女博主的全身照美图,每次返回 1位博主的9张图片

触发词

  • "今日美图"
  • "美图"
  • "看美女"
  • "推荐美女"

执行方式

运行 Python 脚本:

python3 ~/.openclaw/workspace/skills/daily-beauty/daily_beauty.py

脚本会自动:

  1. 搜索小红书博主
  2. 筛选真人博主(排除已推送的、AI账号、壁纸号、营销号)
  3. 下载9张全身照图片
  4. 更新去重记录
  5. 输出 JSON 格式的结果

去重数据文件

  • data/pushed_bloggers.json - 已推送博主 user_id 列表
  • data/pushed_images.json - 已推送图片 URL 列表

输出格式

{
  "success": true,
  "blogger": {
    "nickname": "昵称",
    "fans": "粉丝数",
    "likes": "获赞数",
    "desc": "简介"
  },
  "images": ["图片路径1", "图片路径2", ...]
}

推送到飞书

使用 message tool 发送图片:

message action=send channel=feishu target=user:ou_2f7b674673f4020ca4a64deda675ccc9 message="博主介绍" path=图片路径

注意事项

  1. 脚本会自动跳过已推送的博主和图片
  2. 图片必须是全身照(宽高比 >= 1.3)
  3. 博主粉丝数必须 > 1000
  4. 自动排除包含黑名单关键词的账号

Comments

Loading comments...