ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Local Life Hotspot

v6.0.0

搜索当天真实热门话题,选择一个深度创作,生成简约图片,自动发布。

0· 122·0 current·0 all-time
by@githubsoftware2015

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for githubsoftware2015/local-life-hotspot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Local Life Hotspot" (githubsoftware2015/local-life-hotspot) from ClawHub.
Skill page: https://clawhub.ai/githubsoftware2015/local-life-hotspot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install local-life-hotspot

ClawHub CLI

Package manager switcher

npx clawhub@latest install local-life-hotspot
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description is content creation + publish to Xiaohongshu. The code implements that, but the package/registry metadata and SKILL manifest declare no required binaries or env vars while the code calls an external 'mcporter' CLI to publish and imports Pillow for image generation. The skill also references Xiaohongshu MCP in README/package.json but does not declare or request the credentials or the mcporter binary that are necessary for publishing—this is an incoherence between claimed purpose and declared requirements.
!
Instruction Scope
SKILL.md and run.py instruct the agent to: query external search endpoints (s.jina.ai and r.jina.ai), read remote webpages, generate images, write drafts to /home/admin/openclaw/workspace/temp/ and /tmp, and call an external publisher via subprocess. These steps align with the feature set, but the code disables TLS verification for outgoing requests (insecure ssl_context) and uses subprocess.run(shell=True) to invoke 'mcporter' with user content embedded—both expand risk and deserve review. The skill does not read unrelated local secrets, but the publish step implicitly relies on external credentials/config that are not declared.
!
Install Mechanism
There is no install spec (instruction-only), yet package.json lists dependencies (Pillow) and README mentions Python 3.8+ and Xiaohongshu MCP. Because nothing is installed automatically, the runtime will fail or behave unexpectedly unless the environment already has Pillow and 'mcporter' configured. The absence of an install spec combined with runtime shell calls to an external CLI is inconsistent and risky if the environment lacks those components.
!
Credentials
The skill declares no required environment variables or credentials, but publishing to Xiaohongshu via the 'mcporter' CLI will require credentials or local config for the MCP. That means the skill will attempt to use credentials/config that live outside the skill and are not declared to the user. Additionally, the code writes files under a fixed /home/admin path and /tmp, which may be surprising. The number and type of implicit credentials/config accesses are disproportionate to the manifest's 'none' declaration.
Persistence & Privilege
always is false and the skill is user-invocable only; it does write drafts and image files to disk but does not modify other skills or agent-wide settings. It does not request permanent 'always' presence. File writes are limited to skill-related draft/image paths.
What to consider before installing
This skill appears to implement search→compose→image→publish, but check these before installing: 1) The code expects an external 'mcporter' CLI and Xiaohongshu MCP credentials even though none are declared—ensure you have and trust mcporter and that credential handling is acceptable. 2) Pillow (PIL) is required but not installed automatically—install it in a controlled environment. 3) The script disables TLS verification for network fetches (insecure) — consider removing that or validating endpoints. 4) The publish uses subprocess.run(shell=True) with user-generated content—review/escape inputs or avoid shell=True to reduce injection risk. 5) The skill writes files under /home/admin and /tmp—if you run it on a multi-user or production system run it in an isolated sandbox. If you plan to use auto-publish, verify how mcporter obtains credentials and test in a safe environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ffg8qmarz6gr7hr9bgz2scn83tsqh
122downloads
0stars
7versions
Updated 4w ago
v6.0.0
MIT-0
@githubsoftware2015
latest
Download

单话题深度创作助手 v6.0

核心理念

真实热点 + 深度内容 + 简约图片

v6.0 更新要点

1. 确保当天真实热点

✅ 多重试机制(3 次重试) ✅ 多查询搜索(3 个查询词) ✅ 搜索失败明确提示,不使用示例数据

2. 简化图片生成

✅ 纯色背景(根据领域配色) ✅ 居中显示标题 ✅ 快速生成,不复杂

3. 深度文案结构

✅ 话题引入 ✅ 概念解释 ✅ 核心要点 ✅ 实操指南(3 阶段) ✅ 行动建议 ✅ 常见问题(Q&A) ✅ 互动引导

快速使用

# 搜索当天热点并创作
python ~/.openclaw/skills/local-life-hotspot/run.py -k "职场干货" -a

# 指定具体话题
python ~/.openclaw/skills/local-life-hotspot/run.py -k "减肥" -t "16+8 轻断食" -a

参数说明

参数简写说明默认值
--keyword-k搜索关键词职场干货
--auto-publish-a自动发布false
--topic-t指定话题自动选择

图片配色

领域背景色
减肥粉色 (255, 182, 193)
职场蓝色 (100, 149, 237)
学习橙色 (255, 218, 185)
科技紫色 (138, 43, 226)
美食橙色 (255, 165, 0)
生活粉色 (255, 192, 203)

更新日志 v6.0

  • ✅ 确保搜索当天真实热门话题
  • ✅ 搜索失败时明确提示,不使用示例数据
  • ✅ 简化图片生成(纯色背景 + 标题)
  • ✅ 优化发布流程

Comments

Loading comments...