Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
hot-topic-ideator
v1.0.0生成小红书热点选题和内容创意。当用户提到"热点选题"、"内容创意"、"小红书选题"、"trending topics"、"content ideas"、"热门话题"、"爆款选题"时使用。适用于品牌社媒运营、内容策划、热点借势营销场景。
⭐ 0· 737·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes exactly the advertised purpose (search 小红书 notes via a ChatDAM API, analyze engagement, and output an HTML/PDF report). However the registry declares a required binary 'uv' (installed via a brew formula) which is not referenced or justified anywhere in the instructions; requiring 'uv' appears disproportionate to an instruction-only skill that only uses curl and HTML generation.
Instruction Scope
Instructions are specific and constrained to calling asset.tezign.com/chatdam endpoints, computing scores, and producing an HTML report — that matches the purpose. But SKILL.md requires an environment variable CHATDAM_API_TOKEN for API calls while the skill's declared metadata listed no required env vars; this mismatch is a packaging/integrity problem. There are no instructions to read unrelated local files or exfiltrate extra data.
Install Mechanism
The registry includes a brew install for formula 'uv' despite the skill being instruction-only and the instructions not referencing 'uv'. Installing a new binary from Homebrew for no explained reason is disproportionate. While a Homebrew formula is lower risk than arbitrary downloads, an unexplained install is a red flag and should be justified (what is 'uv' used for, which tap, and why is it required?).
Credentials
The runtime requires CHATDAM_API_TOKEN (used in all curl calls to asset.tezign.com) which is a reasonable, narrowly scoped credential for the described API. However the skill manifest did not declare any required env vars or a primary credential — that inconsistency weakens trust. The token's required scope is unspecified; the user should confirm minimal scope (read-only) before providing it.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not declare config paths, and does not attempt to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other escalations here.
What to consider before installing
Key points to check before installing: (1) Ask the publisher why a 'uv' Homebrew formula is required — the SKILL.md only uses curl/HTML; avoid installing unexplained binaries. (2) The SKILL.md needs CHATDAM_API_TOKEN but the registry metadata does not list required env vars — request that the manifest be corrected to declare CHATDAM_API_TOKEN and explain required token scopes; prefer a read-only, limited-scope token. (3) Verify the API host (https://asset.tezign.com) is the intended/official provider and that giving it a token is acceptable for your data policy. (4) If you must test, run in an isolated environment (VM/container) and do not reuse high-privilege credentials. (5) If the publisher cannot justify the 'uv' install or fix the metadata mismatch, consider this skill untrusted or request a corrected package that either removes the install or documents its purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk97f4zncf8gghe48515q7qbznh81yh09
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔥 Clawdis
Binsuv
Install
Install uv (brew)
Bins: uv
brew install uv