FBS-BookWriter

v2.1.2

FBS 福帮手长文档写作：书/手册/白皮书/长篇报道全流程；Node 脚本驱动 intake、会话恢复、S/P/C/B 质检与 MD/HTML 交付。用户提及写书、出书、章节、大纲、素材、质检、导出、扩写、退出保存时启用。

⭐ 0· 273·1 current·1 all-time

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for duhongchao-fbsir/fbs-bookwriter.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "FBS-BookWriter" (duhongchao-fbsir/fbs-bookwriter) from ClawHub.
Skill page: https://clawhub.ai/duhongchao-fbsir/fbs-bookwriter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, npm
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install fbs-bookwriter

ClawHub CLI

Package manager switcher

npx clawhub@latest install fbs-bookwriter

Security Scan

Capability signals

CryptoCan make purchasesRequires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description (long-form writing, intake/recovery, QC, MD/HTML delivery) match the included Node scripts and CLI usage. Requesting node/npm is appropriate. However the repo also contains extensive host-bridge code (workbuddy/wecom/*, memory adapters, diagnostics, orchestration agents) that go beyond a minimal book-builder; these extras could be legitimate enterprise features but are broader than the brief skill description suggests.

ℹ

Instruction Scope

SKILL.md explicitly instructs the agent to run many node scripts (intake-router, fbs-cli-bridge, expansion/polish/release governors) and to read/write files under the user's <bookRoot>/.fbs and deliverables directories. That is coherent for a writing tool, but the instructions also reference environment preflight, host diagnostics, and host-memory bridges. The skill cautions against indiscriminate file searches and includes specific safe-read guidance; still, the runtime will execute arbitrary JS in the package and can modify files in the user's bookRoot, so follow the listed constraints closely.

✓

Install Mechanism

No remote download/install spec is included; SKILL.md asks the user to place the skill directory into a known skills path and run npm install in the skill root. That is a standard Node install flow and is proportionate. Because the package already contains hundreds of files and package.json, the risk surface is that 'npm install' will fetch dependencies and then 'node' will run many included scripts — expected but high-impact compared to a small instruction-only skill.

Credentials

The skill declares no required environment variables or credentials (primaryEnv none), which is appropriate. However many scripts reference host bridges (workbuddy, wecom client, host memory integration) and runtime hints mention sandbox env injection and optional env flags (e.g., FBS_ALLOW_NO_FOOTNOTE, FBS_BUILD_STRICT_SOURCES). The presence of wecom and host-memory adapter code means the package can call external services if configured; although not requesting secrets up front, it expects host context and may use injected env vars if provided. This expands the attack surface and should be checked if you plan to provide host credentials or enable network access.

ℹ

Persistence & Privilege

The skill does not request always:true and does not attempt to persist as a platform skill. It does, however, intentionally read/write persistent files under the user's project (.fbs/, releases/, deliverables/) and can back up/modify source files. That is coherent with a writing/CI tool but is a high-privilege filesystem activity relative to a simple read-only helper — treat its file write operations as significant.

What to consider before installing

This package is a large, feature-rich Node-based book authoring system. It will run Node scripts, read and write files under the project/book root (not system-wide by default), and includes optional host-bridge and diagnostics code (WorkBuddy/WeCom/memory adapters). Before installing or running it: 1) review package.json and the top-level scripts you will invoke (e.g., intake-router.mjs, fbs-cli-bridge.mjs, build.mjs); 2) run npm install in an isolated environment (or inspect node_modules before executing scripts) and consider running in a sandboxed container if you are unsure; 3) avoid granting host credentials or injecting sensitive env vars unless you trust the publisher and have audited the wecom/host-bridge code; 4) back up your bookRoot before allowing the skill to modify files; 5) if you need a smaller footprint, ask the publisher for a trimmed package with only build and core writer scripts (no host-bridge/diagnostics) or for provenance/maintainer identity. If you want, I can list the top files to inspect first (scripts that perform IO/network calls) or scan for network endpoints and external host calls in the codebase.

✗

scripts/agents/audit-agent.mjs:83