Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Long Image Generator
v1.0.3Generative AI 长图(竖版图片)制作技能。使用 canvas 将文本、LaTeX 公式、图表等内容渲染为长条形图片(1080x+ 像素),适用于课程笔记、知识卡片、学习指南、读书笔记、思维导图等场景。 触发时机:(1) 用户要求"生成一张长图"或"做个长图" (2) 用户提到"竖图"、"海报"、"知识...
⭐ 0· 52·0 current·0 all-time
bymath@daigxok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (long/vertical image generation) match the SKILL.md instructions: it describes splitting content into parts, building HTML templates, rendering via the platform 'canvas' tool, and uploading the result. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
The instructions embed user content directly into HTML templates (${content}, ${代码内容}, etc.) and instruct the renderer to include remote JS/CSS from CDNs (Google Fonts, jsDelivr for KaTeX and highlight.js). There is no guidance to sanitize or escape user-supplied HTML/JS, so malicious or accidental scripts in content could execute in the rendering environment or trigger network calls. The doc also references platform file paths (/root/.openclaw/media/outbound/...) and upload helpers (lightclaw_upload_file, litterbox) which are expected, but any use of external resources should be constrained and versions pinned.
Install Mechanism
Instruction-only skill with no install spec or code files: minimal installation risk. The runtime depends on platform-provided canvas and upload utilities rather than downloading code at install time.
Credentials
The skill declares no environment variables, no credentials, and no config paths. Requested capabilities are proportionate to its purpose. Note: it relies on network access to CDNs (fonts and JS), which is reasonable but increases runtime external dependencies.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent presence or other skills' configuration. No privileged persistence is requested.
What to consider before installing
This skill appears to do what it says (generate long vertical images) but exercise caution before enabling it widely: 1) Ensure user-supplied content is sanitized/escaped before being injected into the HTML template to prevent script injection and unintended network calls. 2) Prefer pinning or vendoring KaTeX/highlightjs/Font assets (or proxying them) rather than pulling from CDNs at render time, since remote resources can change. 3) Confirm how the platform's canvas renderer sandboxes JS — ask the platform whether included scripts run with network access or privileged APIs. 4) Limit allowed HTML/CSS features (no <script> tags, no external resource loading) or provide a safe-mode that only allows sanitized Markdown/LaTeX. 5) For sensitive environments, avoid loading third-party CDNs and review generated files before public sharing. If you cannot enforce sanitization or control CDN usage, treat this skill as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk9725c42sydmsrtzq5aphfcarx84pmvj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.