ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

采用强大模型,一键生成小红书图文,助力品牌曝光和转化。适用于用户希望“生成小红书笔记/小红书文案/笔记”时,通过API自动生成结果而非手动撰写。

v1.0.2

小红书笔记生成服务,当用户要求"生成小红书笔记/小红书文案/笔记"并希望通过 小念AI来 生成结果而不是手动编写时使用。

8· 182·0 current·0 all-time
by@yc556600
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim: generate 小红书 notes via 小念AI. The code and SKILL.md only call the documented endpoint (POST /content/quick-note/generate on xiaonian.cc) and process the response. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
Instructions and script simply forward the user's task_description and optional parameters to the external API and print returned JSON. This is within the stated scope, but it does transmit whatever the user types (including potentially sensitive content) to an external third-party endpoint; the SKILL.md does not warn about privacy or logging.
Install Mechanism
No install spec; the skill is instruction + a small Python script that uses only the standard library (urllib). Nothing is downloaded or written during an install step.
Credentials
No environment variables, credentials, or config paths are requested. The API is documented as 'no auth required' and the script does not access additional secrets — this is proportionate to its simple forwarding/generation use.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges or modify other skills. It uses ordinary agent invocation and runs a local Python script when invoked.
Assessment
This skill is coherent: it sends the user's task_description to https://xiaonian.cc/employee-console/dashboard/v2/api and returns the generated note(s). Before installing or using it, consider: (1) Privacy: all text you provide is sent to a third-party service with no auth — do not include PII, passwords, API keys, or confidential content. (2) Trust: the endpoint domain is external/unknown in this package; review the service's privacy policy or test with non-sensitive examples. (3) Auditing: the script is simple and uses only standard Python networking; you can read or run it locally to confirm behavior. If you need stricter data control, do not use the skill or proxy traffic through a service you control.

Like a lobster shell, security has layers — review code before you run it.

latestvk973eakb07q5qcr5yjbsy8yqbd835dvm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments