Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Chinese Content Generator
v1.0.0中文社交媒体内容生成器。一键生成适合掘金/知乎/公众号/小红书的文章、标题、摘要。支持热点追踪、SEO优化。
⭐ 0· 86·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Chinese social-media content generator, trending, SEO) align with the included scripts (generate.js, optimize-title.js, trending.js). However the SKILL.md references additional scripts (adapt.js, setup-ai.js) that are not present, and the README/config suggestions (editing ~/.openclaw/skills/.../config.json) do not match how the code actually reads configuration. These packaging mismatches warrant caution.
Instruction Scope
SKILL.md instructs running node scripts under ~/.openclaw/skills/..., which matches present files, but the scripts read ~/.openclaw/.env for DEEPSEEK_API_KEY despite the metadata claiming no required env vars. The instructions also point to adapt.js and setup-ai.js that are missing. The skill reads a user-home .env file (outside the skill directory), which can contain secrets — the runtime scope is broader than the documentation declares.
Install Mechanism
No install spec or remote downloads are present; this is an instruction-plus-source package. No installer downloads arbitrary code from external URLs, which lowers install-time risk.
Credentials
Package metadata declares no required environment variables, but both generate.js and optimize-title.js read CONFIG_PATH = ~/.openclaw/.env and expect DEEPSEEK_API_KEY. That is a clear mismatch: the skill will access an API key file (and thus potentially other secrets in that file) even though nothing in the registry metadata or SKILL.md declares this requirement. Requiring an API key for the DeepSeek provider is plausible, but it should be documented and scoped explicitly.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system config, and does not persist credentials itself. It only reads ~/.openclaw/.env and performs outbound HTTPS calls to api.deepseek.com and api.juejin.cn.
What to consider before installing
This skill appears to implement the content-generation features it advertises, but there are packaging and documentation inconsistencies you should resolve before running it:
- Do not run these scripts until you inspect the code locally. The scripts read ~/.openclaw/.env for DEEPSEEK_API_KEY even though the skill metadata declares no required env vars — put a dedicated test key in a separate file if you must test.
- The SKILL.md refers to adapt.js and setup-ai.js which are not included. Ask the publisher why those files are missing or if the package is incomplete.
- Because the code reads ~/.openclaw/.env (a file in your HOME), ensure that file does not contain other unrelated secrets you care about. Prefer adding only the minimal API key (DEEPSEEK_API_KEY) or temporarily setting an env var for testing instead of placing many secrets in that file.
- Verify the remote endpoints (api.deepseek.com, api.juejin.cn) and consider running the scripts in a controlled environment (container or VM) to inspect network traffic and ensure no unexpected exfiltration.
- Treat the Pro-contact instructions (QQ) as out-of-band sales info; do not share secrets when requesting upgrades.
If the publisher confirms the missing files are unnecessary and documents DEEPSEEK_API_KEY explicitly (or changes the code to accept an env var or credential declared in metadata), the inconsistencies would be resolved and risk reduced.Like a lobster shell, security has layers — review code before you run it.
chinesevk97dwqww0sr0w32csger6br4p983gxkdcontentvk97dwqww0sr0w32csger6br4p983gxkdlatestvk97dwqww0sr0w32csger6br4p983gxkd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.