ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Wechat Writer

v1.0.0

Generates and uploads daily sincere, concise WeChat articles on trending AI/human topics with matched AI images, triggered at 10 AM or on command.

0· 69·1 current·1 all-time
by@robertstarry-gif

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for robertstarry-gif/daily-wechat-writer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Daily Wechat Writer" (robertstarry-gif/daily-wechat-writer) from ClawHub.
Skill page: https://clawhub.ai/robertstarry-gif/daily-wechat-writer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install daily-wechat-writer

ClawHub CLI

Package manager switcher

npx clawhub@latest install daily-wechat-writer
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to generate articles and upload drafts to WeChat; the code includes a WeChat uploader that requires app_id/app_secret and makes HTTP calls to api.weixin.qq.com. SKILL.md and auto_writer reference GOOGLE_IMAGEN_API_KEY for Google Imagen. However the registry metadata lists no required env vars/credentials. The skill therefore expects sensitive credentials that are not declared in the manifest, which is disproportionate and inconsistent with the listed requirements.
!
Instruction Scope
SKILL.md states the skill will aggregate trends from Reddit/Twitter/HackerNews/Xiaohongshu and generate images via Imagen 4. The pitch script is a mock (simulated topics), auto_writer.py prints status messages rather than performing the research/image generation, but upload_to_wechat.py contains real network code: fetching access tokens, uploading images, downloading remote images, and creating drafts. Instructions give the agent permission to call external APIs and perform network I/O; the code will download remote images and post content to WeChat. The scope of network access is broader than the manifest indicates and SKILL.md promises external scraping/generation that isn't fully implemented in the visible scripts.
Install Mechanism
No install spec (instruction-only with included scripts). That reduces installation risk because nothing is downloaded during install. The risk surface is runtime network activity in the scripts, not an installer fetching arbitrary archives.
!
Credentials
Registry metadata declares no required env vars, but SKILL.md and scripts refer to GOOGLE_IMAGEN_API_KEY and the WeChat uploader requires app_id and app_secret (sensitive). These credentials are necessary for core functionality but are not declared in the manifest. This mismatch is disproportionate and could lead users to supply sensitive credentials without realizing where they'll be used.
Persistence & Privilege
always is false and the skill does not request system-wide persistence in the manifest. The skill will run on trigger or scheduled cron per SKILL.md; autonomous invocation is allowed by platform default but is not an additional privilege in the manifest. The code does write temporary files when downloading images but does not appear to change other skills or system-wide configuration.
What to consider before installing
Before installing: 1) Be aware the code will call external networks (WeChat API, download image URLs) and needs Google Imagen and WeChat credentials even though the manifest lists none. Do not provide sensitive app_id/app_secret or API keys to an untrusted skill. 2) Ask the publisher to explicitly declare required env vars (GOOGLE_IMAGEN_API_KEY, WECHAT_APP_ID, WECHAT_APP_SECRET) and explain how they are used. 3) Review the remainder of upload_to_wechat.py (file was truncated in the package) and confirm there are no hidden endpoints or credential exfiltration points. 4) If you must test, run in an isolated environment or sandbox, supply least-privilege/test credentials, and monitor network traffic. 5) If you decide to use real WeChat credentials, rotate them afterward and consider creating a dedicated account with limited privileges. 6) If the source is unknown or you cannot verify the missing pieces, treat this as suspicious and prefer not to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk972dz3ry04fp2s941f6fnxhv584v32s
69downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@robertstarry-gif
latest
Download

Daily WeChat Article Writer Skill

Metadata

  • Name: daily-wechat-writer
  • Description: A cron-based skill that pitches 3 trending AI/Human-interest topics at 10:00 AM daily. Upon user selection, it auto-generates a full article with context-matched AI images and uploads it to WeChat draft box.
  • Author: Liuu (Editor-in-Chief)
  • Version: 1.1.0 (2026-03-26)

Features

  1. Daily Pitch (10:00 AM): Aggregates trending topics from Reddit, Hacker News, Twitter, and Xiaohongshu. Filters for human-centric AI stories (micro-perspective, emotional, sincere).
  2. Auto-Writer:
    • Deep research based on selected topic
    • Article writing in "Editor" persona (sincere, grounded, concise)
    • Context-aware AI image generation using Google Imagen 4
    • WeChat draft upload with proper Chinese title extraction
  3. Style Lock: Enforces sincere, grounded, and concise writing style; ensures Chinese title is used.
  4. Image Matching Protocol: Generated images must directly correspond to specific article sections (e.g., cover = IP creation scene, section images = concrete metaphors).

Usage

  • Automatic: Runs daily at 10:00 AM via system cron (managed by OpenClaw).
  • Manual: /daily-pitch to trigger the pitch immediately.
  • Selection: User replies "选1", "选2", etc. to trigger auto_writer.py.

Files

  • scripts/daily_topic_pitch.py: Fetches trends and formats the pitch.
  • scripts/auto_writer.py: Handles writing, AI image generation (Imagen 4), and WeChat upload.
  • scripts/upload_to_wechat.py: Handles Markdown parsing, title extraction, and WeChat API integration.

Configuration

  • Time: 10:00 AM Asia/Shanghai
  • Sources: Reddit (r/ArtificialInteligence, r/ChatGPT), Hacker News, Xiaohongshu (via search), Twitter (AI influencers).
  • Image Generation:
    • Model: imagen-4.0-generate-001 (Google Imagen 4)
    • API Key: Configured via environment variable GOOGLE_IMAGEN_API_KEY (user-provided)
    • Aspect Ratio: 16:9 (800x450 or similar)
    • Prompt Style: Realistic, cinematic, authentic textures, matching article's "earthy" aesthetic

Lessons Learned (2026-03-26)

  1. Unsplash实拍图虽可商用,但难以精准匹配微观意象 → 改用AI生图可100%定制
  2. 封面图必须反映文章核心主题 → "个人IP/朋友圈"主题需要手机/社交媒体/摆摊等视觉符号
  3. 标题提取必须优先使用Markdown中文化标题 → 修改了upload_to_wechat.py的标题解析逻辑
  4. 图片审核需前置分析 → 每次生成图片后应检查:是否匹配段落?是否符合"土味/真实"美学?是否呼应标题?
  5. API测试流程:先用curl测试imagen-4.0-generate-001端点,确认密钥有效后再批量生成

Comments

Loading comments...