ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kids AI Magazine

Generate a kids-friendly AI news magazine with text and audio narration. Creates an interactive HTML magazine with stories adapted from real AI news for ages...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 100 · 0 current installs · 0 all-time installs
by@xiaofengshi
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (create a kids AI magazine with text + audio) aligns with provided assets: an HTML template, example stories, a build script, and a TTS generation script. However, SKILL.md instructs the agent to "Gather 3-5 current AI news items" from the web, while the included scripts operate on a local stories JSON (they do not fetch news automatically). This mismatch (manual/agent web collection vs code expecting stories.json) is an incoherence the user should be aware of. The use of edge-tts and optional cloudflared is explainable by the TTS and share/preview steps.
!
Instruction Scope
SKILL.md tells the agent to gather news from external sites and to run pip3 install edge-tts and optionally brew/cloudflared to expose a local server. Generating audio via edge-tts will send story text to an external TTS service (Microsoft/Bing endpoints) which transmits the text off-host; this could leak sensitive content if stories contain PII. The guidance to publish via cloudflared intentionally exposes a local webserver to the public — a privacy/security consideration. Additionally, the static scan found unicode-control-chars in SKILL.md (possible hidden characters used in prompt-injection). The instructions do not request local secrets or unrelated config paths, but the web-collection, external TTS, and public tunnel steps increase the attack surface and warrant scrutiny.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which reduces automatic install risk. However SKILL.md instructs users to run 'pip3 install edge-tts' and (optionally) 'brew install cloudflared' — installing third-party packages from PyPI/Homebrew is a normal practice but carries moderate risk (malicious/compromised packages are possible). The code itself will run the edge-tts module via 'python -m edge_tts' (subprocess). No downloads from untrusted URLs or archive extraction are present in the package itself.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the included scripts do not reference secrets or env vars. This is proportionate for the stated functionality. Note: using external TTS will transmit content externally even without credentials.
Persistence & Privilege
The skill does not request persistent/always-on status (always: false). It does not modify other skills or system-wide settings. Autonomous model invocation is allowed by default (disable-model-invocation: false), which is normal for skills; no additional elevated privileges are requested.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contains unicode control characters detection. Hidden/control characters can be used for prompt injection (e.g., to hide instructions or alter parsing) and are not expected for a simple magazine builder. This is a suspicious signal that should be inspected: show raw SKILL.md bytes to ensure no hidden directives.
What to consider before installing
Before installing/running: 1) Inspect SKILL.md raw text for hidden/control characters (the registry scanner flagged unicode-control-chars). 2) Understand that audio generation uses edge-tts: story text will be sent to external TTS endpoints (Microsoft/Bing) — avoid including any private or sensitive information in stories. 3) The included scripts do not scrape news automatically; you must provide a stories JSON (or have the agent fetch news — decide whether you trust the agent to do web scraping). 4) The SKILL.md suggests using cloudflared to expose a local preview server publicly — only do this if you understand the privacy implications and trust the content being served. 5) If you want lower risk, run pip installs (edge-tts) in an isolated virtual environment or use an offline/local TTS engine instead. 6) If you plan to let the agent autonomously gather news, restrict it from fetching or posting sensitive data and review any gathered content before publishing. If you want, I can (a) show the raw SKILL.md with control characters highlighted, (b) suggest a safe local-only workflow, or (c) propose ways to modify the scripts to avoid sending text to external services.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9783wtrmdbqav6mkd22g3mat1834n41

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Kids AI Magazine (学前亲子AI电子杂志)

Generate interactive HTML magazines that turn AI news into stories for 3-6 year olds, with TTS audio narration.

Workflow

1. Collect News

Gather 3-5 current AI news items from reliable sources (36氪, 澎湃, TechCrunch, etc.). For each item, extract:

  • Core fact (one sentence)
  • Why it matters
  • Source URL

2. Adapt Stories

Transform each news item into a kids story. Each story needs:

  • Title: Fun, curiosity-driven (e.g., "机器人宝宝学走路啦!")
  • Paragraphs: 2-3 short paragraphs, use analogies to things kids know (bikes, scissors, building blocks)
  • TTS text: Pure Chinese narration text, no English words (replace "AI" → "智能技术", "GPU" → "芯片"), add verbal cues ("你知道吗?", "是不是很神奇呀?")
  • Parent-child dialogue: 2 Q&A pairs (child asks naive question → parent gives educational answer)
  • Parent note: Brief context for parents + source link
  • Icon: One emoji per story

3. Generate Audio

Prerequisite: pip3 install edge-tts

python3 scripts/generate_audio.py --stories stories.json --voice zh-CN-XiaoxiaoNeural --output-dir ./output

Voices: zh-CN-XiaoxiaoNeural (女声, recommended), zh-CN-YunxiNeural (男声), zh-CN-XiaoyiNeural (女童声)

TTS text rules:

  • No English words (TTS reads them letter by letter)
  • Add pauses with commas and periods
  • Use onomatopoeia: "噗通!摔倒啦!"
  • Warm narrator tone: "小朋友们好呀~"

4. Build HTML

Use assets/template.html as the base. The template includes:

  • Colorful header with rainbow gradient
  • Story cards with embedded audio players
  • Parent-child dialogue bubbles
  • Activity section, nursery rhyme, quiz
  • Mobile-responsive design

For custom builds: python3 scripts/build_magazine.py --stories stories.json --template assets/template.html --output output/index.html

5. Serve & Share

# Local preview
python3 -m http.server 8899 -d ./output

# Public sharing (install once: brew install cloudflared)
cloudflared tunnel --url http://localhost:8899

Story JSON Format

See references/example-stories.json for a complete 3-story example. Key fields:

{
  "title": "故事标题",
  "icon": "🤖",
  "paragraphs": ["HTML段落1", "段落2"],
  "tts_text": "纯中文朗读文本,无英文",
  "dialogue": [
    {"role": "child", "avatar": "👶", "text": "问题"},
    {"role": "parent", "avatar": "👩", "text": "回答"}
  ],
  "parent_note": "给家长的背景说明",
  "source_name": "来源名",
  "source_url": "https://..."
}

Design Principles

  1. No scary content — only positive, wonder-inspiring stories
  2. Analogy-first — explain everything through things kids already know
  3. Emotion boundary — always clarify: computers are smart but have no feelings
  4. Parent empowerment — every story gives parents a conversation hook
  5. Audio-first — assume kids can't read; audio must stand alone

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…