ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lucky Wallpaper Generator

v1.0.0

自动生成小红书风格的好运壁纸、招财头像、情绪图卡。支持四大系列:招财、好运、治愈、事业。

0· 46·0 current·0 all-time
by@zhangxiaox101
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The README and SKILL.md advertise AI generation via 通义万相/即梦 and optional automatic publishing to 小红书, yet the provided code (scripts/generate.js) only generates local JSON configuration files and does not call any external APIs or implement publishing. The SKILL.md also references a batch.js script and a config.json but batch.js is absent and generate.js ignores a config.json, indicating mismatch between claimed capabilities and actual implementation.
!
Instruction Scope
Runtime instructions instruct the agent to '调用API → 通义万相/即梦生成图片' and '可选发布 → 自动发布到小红书', and describe a config.json for apiProvider, but there is no code to perform network calls or publishing. The instructions therefore direct actions (external API calls, posting to third-party service) that the shipped code does not implement or justify.
Install Mechanism
No install spec (instruction-only plus JS files). Requires 'node' which is consistent with the included scripts. Nothing is downloaded from external URLs and no extract/install behaviors are present.
!
Credentials
SKILL.md implies need for external API credentials (通义万相/即梦) and possibly 小红书 publishing tokens, but requires.env lists none and the code does not reference any environment variables. Required credentials are missing from metadata, so users would have to supply secrets out-of-band or the agent would have to prompt for them — a proportionality/clarity issue.
Persistence & Privilege
The skill is not always-enabled, has no special persistence requests, and does not modify other skills or system config. It exports functions for local use and runs only when invoked.
What to consider before installing
This skill appears to be a prompt/config generator, not a full image-generation + publishing tool as advertised. Before installing or granting any credentials: 1) Verify whether you actually need API keys for 通义万相/即梦 or 小红书 — the package metadata declares none but the docs request them. 2) Ask the author/maintainer for the missing batch.js and for explicit, reviewable code that performs API calls and publishing; do not hand over API keys until that code is audited. 3) If you expect automatic publishing, require the skill to explicitly declare required env vars and show how credentials are stored/used. 4) If you plan to run the scripts, run them in a sandboxed environment first (they currently only write JSON files). Given the inconsistencies, treat the skill as incomplete and verify the network/publishing behavior before using it with real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b1f33mp7kt6rwm0w0n1sqeh83qzn8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Binsnode

Comments