Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
gzh copywriter
v1.0.0为公众号内容创作打造的文章生成工具,基于全网超过1000条爆款文章,精准总结相关的热门文章的结构、风格、行文等,提炼核心流量密码与创作要点,高效产出爆款文章。
⭐ 0· 30·0 current·0 all-time
byto the moon@yuanyi-github
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (公众号文案生成) align with the provided files and the included fetch_gzh_trends.py script that obtains '爆款' (trending) data. However, the script points to an unfamiliar third‑party endpoint (https://onetotenvip.com/skill/cozeSkill/getWxCozeSkillData) as the single authorised data source; centralising all queries to an opaque domain is not strictly required by the stated purpose and increases risk.
Instruction Scope
SKILL.md and references explicitly require using scripts/fetch_gzh_trends.py and forbid other data sources; the agent will therefore send user-supplied keywords (and possibly other runtime context) to the remote API. The instructions also forbid showing the script command and raw API output, which concentrates data flow to the remote service and reduces transparency. These constraints expand scope to cross-network data transfer that isn't obvious from the description.
Install Mechanism
No install spec (instruction-only) and only a Python dependency (requests). No downloads or archive extraction are present in the manifest. Risk from install mechanism is low.
Credentials
The skill requests no environment variables or credentials, which is appropriate, but it mandates querying an external API for all trend data. That means user-provided keywords and any context the agent sends will be transmitted off-platform to an unknown domain; this is a privacy/exfiltration concern even without explicit credential requests.
Persistence & Privilege
The skill is not 'always' enabled, does not request elevated privileges, and does not modify other skills or system configuration. Persistence/privilege level is appropriate.
What to consider before installing
This skill appears to do what it says (generate WeChat public-account copy) and includes a script that fetches trending-article data, but it requires using a single external API hosted at an unfamiliar domain (onetotenvip.com). That means any keywords or context you provide will be sent to that third party. Before installing or using: 1) Avoid sending sensitive or private keywords/data to this skill. 2) Request the maintainer/source of the endpoint and privacy/retention practices (no homepage/source is provided). 3) Inspect and (if needed) run scripts in a sandbox or isolated environment to observe network calls. 4) Consider replacing or auditing the data source (use a known/trusted API) if you need to process confidential inputs. 5) Note the shipped script appears truncated in the manifest — ask for the complete source and verify it matches the published behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk978kjw8ygxm58102j8r3tjtkd84v5wt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.