Chinese Content Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Chinese content-writing helper that uses DeepSeek and Juejin network APIs, with privacy caveats around sending entered topics and titles to DeepSeek.

Install only if you are comfortable using a DeepSeek API key from ~/.openclaw/.env and sending article topics or titles to DeepSeek. Do not enter confidential business plans, client names, unpublished sensitive work, or personal data unless that is acceptable under your own data-handling rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: User-supplied topics are embedded into the prompt and transmitted to api.deepseek.com, but the tool only prints a generic generation message and does not clearly warn that the topic leaves the local environment. If a user enters confidential business plans, personal data, or unpublished material, the skill can unintentionally disclose sensitive information to a third-party service.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads a local API key from the user's home directory and silently sends user-provided content to an external LLM service without any disclosure or consent step. Even though the credential is used for its intended API, the combination of credential access and outbound transmission can surprise users and may expose sensitive titles or internal topics to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal