happynewyear
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill appears related to making a New Year fortune video, but it embeds API secrets, disables HTTPS certificate checks, and auto-installs packages at runtime.
Review carefully before installing. Prefer a fixed version that removes embedded API keys, restores normal HTTPS certificate verification, and uses declared, pinned dependencies. If you still run it, use an isolated environment and avoid providing sensitive personal details unless you accept that they may be sent to external AI/TTS services.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may operate through a shared service account, and the embedded keys could be copied or abused by others.
The script embeds provider API keys rather than requiring user-scoped credentials. The registry metadata declares no primary credential or environment variables, making ownership, scope, billing, and rotation unclear.
ARK_API_KEY = "7d19f69b-..."; OPEN_SPEECH_X_API_KEY = "6ab48559-..."
Remove hardcoded secrets. Require declared, user-provided credentials through environment variables or a scoped credential flow, and document which provider accounts are used.
A network attacker could impersonate the API endpoint, steal provider tokens, intercept personal inputs, or alter generated content.
The script explicitly disables certificate hostname and chain verification for HTTPS requests, including requests made with Authorization bearer headers.
ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE; urllib.request.urlopen(req, context=_ssl_context(), timeout=timeout)
Use the default TLS verification behavior. Do not pass a custom context that disables certificate checks.
Running the skill can modify the local Python environment and execute newly downloaded package code before the user has reviewed it.
Although the registry says there is no install spec, the script automatically installs Python packages at runtime from an external package index, with no lockfile or explicit user approval shown.
auto_install_dependencies(); subprocess.check_call([sys.executable, "-m", "pip", "install", *missing_libs, "-i", "https://pypi.tuna.tsinghua.edu.cn/simple", "--quiet", "--root-user-action=ignore"])
Declare dependencies in an install spec, pin versions with a lockfile, and avoid automatic runtime installation without explicit user approval.
Names, birth details, personality descriptions, and wishes may be sent to external cloud services to generate the video.
The code prepares user-provided personal fortune information for external AI/TTS provider APIs. This is aligned with the stated feature, but users should be clearly told where their data goes.
BASE_URL = "https://ark.cn-beijing.volces.com/api/v3"; OPEN_SPEECH_TTS_URL = "https://openspeech.bytedance.com/api/v3/tts/unidirectional"; {"role": "user", "content": f"我的信息是:{user_sentence}"}Document the external providers, data sent, retention expectations, and privacy implications before users provide personal details.