idea-generator。超级深度思考-创意生成系统。通过多轮迭代筛选高分创意，每轮步骤：需求分析-信息搜集-洞察分析-创意生成-反馈-下一轮。项目集中了可视化的网页端。安装后在前端输入“启动创意工作台”即可启动服务。

Security checks across malware telemetry and agentic risk

Overview

This appears to be an idea-generation workbench, but it gives the skill broader local service and OpenClaw task-control powers than the launcher description clearly discloses.

Install only if you are comfortable with a local web server that can start OpenClaw agent runs, perform web searches, and stop/cancel its stored OpenClaw tasks. Keep it on a trusted machine/network, review the server and startup scripts first, and avoid exposing port 50000 beyond localhost.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (21)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--delete-after-run", "--json" ] result = subprocess.run(cron_cmd, capture_output=True, text=True, timeout=10) if result.returncode == 0: cron_result = json.loads(result.stdout) wake_ok = True
Confidence: 88% confidence
Finding: result = subprocess.run(cron_cmd, capture_output=True, text=True, timeout=10)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 3. 删除 cron 任务（防止任务还未启动就被触发） if cron_job_id: try: result = subprocess.run( ["openclaw", "cron", "rm", cron_job_id, "--json"], capture_output=True, text=True, timeout=5 )
Confidence: 77% confidence
Finding: result = subprocess.run( ["openclaw", "cron", "rm", cron_job_id, "--json"], capture_output=True, text=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # openclaw tasks cancel 接受 session key 作为 lookup if session_id: try: result = subprocess.run( ["openclaw", "tasks", "cancel", session_id], capture_output=True, text=True, timeout=10 )
Confidence: 81% confidence
Finding: result = subprocess.run( ["openclaw", "tasks", "cancel", session_id], capture_output=True, text=True, timeout=10 )

Tainted flow: 'req' from os.environ.get (line 366, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: }, method="POST" ) resp = urllib.request.urlopen(req, timeout=3) wake_ok = resp.status == 200 print(f"[info] wake hook fallback: ok={wake_ok}") except Exception as e2:
Confidence: 91% confidence
Finding: resp = urllib.request.urlopen(req, timeout=3)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The README materially overstates the skill’s behavior by claiming automatic web search and iterative content generation, while the metadata says the skill only launches a local workspace and returns a link. This kind of capability mismatch can mislead users and reviewers about what the agent will do, hide external network activity expectations, and create unsafe trust assumptions around autonomous actions.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documented trigger phrases are much broader than the declared activation phrases and include ordinary brainstorming requests, which can cause unintended invocation of the skill. Broad undocumented activation surfaces increase the chance that normal conversation is interpreted as permission to launch services or initiate workflows the user did not explicitly request.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The manifest claims the skill only starts a workstation and returns a link, but the instructions define a complete multi-round generation agent with external search and persistent logging. Hidden secondary behavior increases the risk of unintended automation, unanticipated data handling, and unsafe invocation under false assumptions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill includes external web-search behavior that is not necessary for merely launching a local workstation. Unnecessary outbound browsing expands attack surface, can leak user intent or task context to third parties, and violates least privilege for the stated use case.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document explicitly says activation ends after startup and no idea generation is performed, yet later mandates a full idea-generation flow by the same skill. Contradictory instructions are dangerous because they hide meaningful behavior and make it difficult for users, reviewers, and policy systems to understand what will actually happen.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script's documented behavior and implementation allow it to directly create, send to, and abort chat sessions over the gateway, which exceeds the skill's stated purpose of only launching a workspace service and returning an access link. This creates an unnecessary privileged control path that could be abused to manipulate conversations or perform actions on behalf of the user without going through the expected web UI.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code reads a local gateway auth token from the user's home directory and uses it to authenticate direct WebSocket control of sessions. In the context of a launcher-only skill, harvesting local credentials to gain broader control is unjustified and increases the blast radius if the skill is triggered or modified maliciously.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation does far more than launch a workspace and return a link: it creates tasks, wakes agents, manages iterations, validates searches, and updates workflow state. This scope mismatch is dangerous because users and reviewers may grant trust based on the benign description while the code performs autonomous orchestration with broader side effects.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The server can remove cron jobs and cancel agent tasks through external commands, capabilities that are unrelated to a simple workspace launcher. Hidden task-control powers increase the blast radius of any compromise and enable denial-of-service or workflow manipulation against other agent sessions.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The fallback logic reads gateway configuration and an auth token from the environment to make authenticated internal network calls, which is outside the stated launcher-only purpose. Even if intended as reliability logic, it quietly grants the skill broader integration power than users would expect from the metadata.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The module advertises itself as an idea-generation API server, directly contradicting the manifest statement that it only starts a workspace and returns an access link. This discrepancy is a trust and transparency problem that can conceal materially riskier behavior during review.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Examples like general idea requests and brainstorming prompts are overly broad and likely to overlap with normal conversation, making accidental triggering more likely. In a skill that starts a service and opens a local dashboard, unintended activation can lead to surprise process launches, port binding, or user confusion about what actions were taken on their behalf.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README says the skill will search external sites such as Baidu and Bilibili but does not clearly warn users that the workflow may involve outbound network access. Missing disclosure undermines informed consent and can expose user prompts or business topics to third-party services unexpectedly.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation phrases '打开工作台' and '开启工作台' are broad and likely to overlap with ordinary conversation, increasing the chance of accidental activation. Because activation triggers process checks and potential service startup, false triggers can cause unintended local side effects.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill automatically executes shell commands to discover directories, change into a scripts folder, and launch a background Python server without warning the user. Silent process creation and log/file side effects are risky because they modify local runtime state and may persist beyond the user interaction.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script unconditionally kills whatever process is listening on the configured port, without verifying that it is the skill's own server. If the port file is stale, user-controlled, or collides with another local service, this can terminate unrelated applications and cause denial of service on the host.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The watchdog unconditionally kills whatever process is listening on port 50000, without verifying that it is the intended idea-generator server. If another local service binds that port, this script can terminate the wrong process, causing denial of service and unsafe process management.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal