ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Contents

v1.0.0

MakeContents AI 资讯 Agent 技能。当用户需要自动执行资讯拉取、筛选推送(AINews/AITopics/AITools)、内容创作、内容发布、内容归档等任务时使用此技能。此技能调用本地运行的 MakeContents 应用 API,无需人工干预即可完成完整的内容创作和分发流程。

0· 23·1 current·1 all-time
by@zhuchenggong19851114-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say the agent will drive a local MakeContents app and the SKILL.md only calls http://localhost:3710 endpoints and reads/writes the included references files — these are coherent and proportional to the stated purpose.
Instruction Scope
Instructions are specific and limited to the local MakeContents API and the skill's own references files. Two items to note: (1) the SKILL.md explicitly requires using shell exec + curl instead of web_fetch, which means the agent will run shell commands (a broader capability than an in-process fetch); (2) the agent is instructed to append/update references/agent-rules.md (persistent file writes). Both are consistent with the skill's function but are privileges the user should be comfortable granting.
Install Mechanism
Instruction-only skill with no install spec and no third-party downloads — lowest-risk install posture.
Credentials
The skill does not declare or require any environment variables or external credentials. It expects the local MakeContents app to already hold service API keys/cookies in its own configuration, which is appropriate: the agent calls that local service and does not need the secrets itself.
Persistence & Privilege
always is false and the skill does not request system-wide changes. It does instruct the agent to update its own references/agent-rules.md (local persistent memory), which is expected for a learning workflow and limited in scope.
Assessment
This skill is internally consistent: it expects a MakeContents server running on http://localhost:3710 and uses that service (which should hold any API keys/cookies). Before enabling: (1) ensure you actually run the MakeContents app locally and that its stored API keys/cookies are configured securely; (2) be aware the skill asks the agent to run shell commands (exec + curl) — grant that only if you trust the agent runtime; (3) the agent will append to references/agent-rules.md (persistent file writes) — back up this file if you want history control; (4) the Xiaohongshu publish flow requires a separate app-level switch and cookies — the agent will not bypass that switch per its instructions. If any of these behaviors are unacceptable, do not install or restrict the agent's ability to execute shell commands and write files.

Like a lobster shell, security has layers — review code before you run it.

latestvk9775sve1ceny483qj8ferx5dh8454xq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments