Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ai-dev-release-helper
v1.0.0AI开发者发布助手 — 自动化 GitHub 项目发布全流程。 采集竞品信息 → AI生成项目封面图 → 一键发布公众号深度分析文。 当用户需要"发布开源项目"、"写发布公告"、"做产品介绍"、"生成项目封面"时激活。
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, workflow.json, README and SKILL.md consistently describe a combo of web search (brave-search), image generation (nano-banana-pro/Gemini), and WeChat article publishing (wechat-article-pro). Those capabilities align with the stated purpose of automating release materials.
Instruction Scope
Runtime instructions call external search, image-generation, and WeChat-publishing skills and state images will be uploaded and articles can be auto-published. The skill also references fetching GitHub README and uploading images to a public WeChat backend. However the SKILL metadata declares no required credentials or config paths while README and workflow imply external API keys and OAuth credentials are needed—this mismatch means the runtime instructions expect access to external services that are not declared or gated.
Install Mechanism
Instruction-only skill with no install spec and no bundled code; nothing is written to disk by an installer. This is low-risk from an install/remote-download perspective.
Credentials
Metadata lists zero required env vars or credentials, but README and SKILL.md explicitly reference Brave Search API Key, WeChat AppID (and likely WeChat secret), and image-generation credentials (nano-banana-pro / Gemini access). Notifications in workflow.json target 'feishu' but no Feishu credentials are declared. The skill therefore under-declares required credentials and may prompt the user to provide sensitive tokens at runtime without prior transparency.
Persistence & Privilege
always is false and there are no config paths requested; the skill does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with other high-privilege flags.
What to consider before installing
This skill appears to do what it says (search → image gen → WeChat article), but it under-declares the credentials and endpoints it needs. Before installing or running it you should: (1) confirm which API keys/secrets the dependent skills actually require (Brave Search API key, Gemini/nano-banana-pro credentials, WeChat AppID/secret, and any Feishu webhook/token for notifications); (2) avoid pasting high‑privilege or cross-service tokens unless you trust the dependency implementations and have reviewed their privacy/usage; (3) test in a sandbox account (use a throwaway WeChat/test GitHub) to observe network calls and what gets published; (4) review the implementations of the dependent skills (brave-search, nano-banana-pro, wechat-article-pro) to verify where data is uploaded and stored; and (5) if you require automatic publication, prefer explicit, documented OAuth flows and minimal-scope tokens rather than pasting master credentials. If you can provide the dependent skills' manifests or endpoint docs, I can re-evaluate and likely lower the concern.Like a lobster shell, security has layers — review code before you run it.
latestvk971am2ytt27ayy6zr689e9sbx84tdz6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.