Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hugo Blog Publisher
v1.1.1发布文章到 Hugo 博客。用于当用户说"发布博客"、"推送到blog"、"post to blog"、"发布文章"等。自动完成 front matter 渲染、<!--more--> 标记添加、git 推送流程。
⭐ 0· 929·2 current·2 all-time
byTony@tanteng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (publish to Hugo, render front matter, add <!--more-->, git push) align with the SKILL.md instructions. The skill does not request unrelated credentials, binaries, or installs. Reading local blog config and performing git operations is coherent with publishing workflow.
Instruction Scope
Instructions explicitly tell the agent to locate blog configuration (including MEMORY.md/USER.md and .git), generate front matter, create tag/category _index.md files if needed, add <!--more-->, and run git add/commit/push in the blog directory. This is expected for a publisher but worth noting: automatic reading of MEMORY.md/USER.md and .git config can surface sensitive local information (paths, remote URLs, occasionally embedded credentials). The skill will run git push which will transmit data to whatever remote is configured.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk writes and supply-chain risk.
Credentials
The skill declares no required environment variables or credentials. It relies on the host machine's existing git/SSH/GitHub configuration, which is proportionate to a local publishing tool. No unrelated credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable. The skill does not request persistent system-wide changes or modify other skills' configuration.
Assessment
Before installing or invoking this skill, consider the following:
- It will access local files to find blog configuration (MEMORY.md / USER.md and the repository's .git). Make sure those files don't contain secrets or unintended content you don't want read.
- The skill will run git add/commit/git push in the detected blog directory. Confirm the repository remote and branch to avoid pushing to the wrong remote or exposing drafts. Provide the blog path explicitly if you don't want the skill to auto-detect.
- Ensure your machine's git/SSH credentials are configured correctly; the skill will use whatever credentials are already present. If you use credential helpers or tokens stored in files, be aware those mechanisms will be invoked by git.
- Because this is instruction-only, the agent will perform filesystem and git operations when invoked. Run it in a safe environment (a local clone or disposable branch) the first time to verify behavior.
- If you are uncomfortable with automatic discovery of MEMORY.md/USER.md or automatic pushes, ask the agent to show the planned changes and the exact git commands before executing them, or provide explicit configuration (blog path, remote) instead of allowing auto-detection.Like a lobster shell, security has layers — review code before you run it.
latestvk97es8y0z199ypptyhmfjyhrxs83kmkn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.