NewsPaper
v1.0.1Render structured news content into a styled HTML newspaper page with optional AI-generated images using ComfyUI integration.
⭐ 3· 71·0 current·0 all-time
by@spootmu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (HTML newspaper rendering + optional ComfyUI images) match the included files (server, comfy-client, Handlebars template). No unrelated environment variables, binaries, or config paths are required; package.json deps (express, axios, handlebars) are appropriate for the task.
Instruction Scope
SKILL.md and AGENT.md instruct the agent to POST to a local service (http://localhost:3000/render) and to contact a ComfyUI service at a local default (http://127.0.0.1:8000). The code only reads templates, writes HTML to ./output, and calls the ComfyUI endpoints /prompt, /history/{id}, and /queue. Potential privacy/information-leak note: comfy-client.js logs the full prompt to console (console.log('[ComfyUI] 开始生成图片,prompt:', prompt,...)), which contradicts the SKILL.md claim that logs only contain title and article count — image prompts (and thus any sensitive content included in prompts) can appear in logs and in requests to COMFY_BASE_URL. Also the rendered HTML embeds image URLs returned by ComfyUI (COMFY_VIEW_URL), so those URLs may point to external resources if COMFY_VIEW_URL is configured externally.
Install Mechanism
Instruction-only install (no install spec) and included source files — no external archives or unusual installers. Dependencies are standard npm packages trackable from package.json. This is a low-risk install mechanism.
Credentials
The skill declares no required environment variables; it documents optional COMFY_BASE_URL and COMFY_VIEW_URL to override local ComfyUI address. These are proportional to the advertised ComfyUI integration. No unrelated secrets/credentials are requested.
Persistence & Privilege
always:false; the skill runs as a normal service and writes output files to its own ./output directory. It does not modify other skills, system-wide agent settings, or request permanent platform-wide privileges.
Assessment
This skill appears to do what it says: render HTML and optionally call a ComfyUI image service. Before installing, consider: 1) By default it calls local ComfyUI (127.0.0.1:8000); if you set COMFY_BASE_URL/COMFY_VIEW_URL to a remote service, your image prompt text (and any sensitive content included in it or in article bodies) will be sent to that external endpoint. 2) comfy-client.js logs the full image prompt to console — do not include sensitive data in imagePrompt or article body if you expect logs to be retained or forwarded. 3) The service writes HTML files to ./output and serves them on localhost:3000; ensure appropriate filesystem permissions and that hosting this on a network-exposed machine is intended. If you need stronger privacy, run ComfyUI locally, avoid sensitive prompt content, and review/disable or redirect logging in comfy-client.js.comfy-client.js:4
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk97339h84bh6g5dh3enfvxm54s83w2kf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.