Smarter Content

✍️ 智能多平台内容生成器 - 从想法到成品一站式写作，自动适配微信/知乎/小红书/Blog 格式，内置 SEO 优化 + AI 事实核查保证准确性。

What to consider before installing: - The skill does what it says (generates and exports platform-specific content) but contains risky code patterns. Specifically, scripts use child_process.execSync to run node commands built by concatenating user-generated strings (e.g., passing generated content or a URL into a shell command). This creates command-injection risk: if an attacker can control the topic, reference URL, or generated content, they may inject shell/JS code. Ask the author to replace execSync+string commands with safe APIs (execFile/spawn with argument arrays or direct library calls) and to sanitize/validate inputs. - SKILL.md contains unicode control characters flagged as prompt-injection signals. That could be an attempt to manipulate the model or hide instructions; inspect SKILL.md raw text and remove/understand any hidden characters. - There are coding bugs (e.g., extractKeywords references the wrong variable name) — sloppy code increases the chance of runtime errors or unexpected behavior. - The skill calls a local path node ai-fact-checker/scripts/fact-check.js and requires an external module 'ai-fact-checker'. Only use if you trust that module's source; verify its code before granting it access to generated content. - If you need this functionality but want to reduce risk: run it in a sandboxed environment, require the author to fix the exec/spawning and input-escaping issues, and ensure the ai-fact-checker dependency is from a trusted source. If you cannot review or sandbox it, consider not installing it. Confidence note: Assessment is medium confidence because the code is small and its intent is coherent, but the unsafe use of execSync and the presence of prompt-injection markers are concrete red flags that prevent a benign classification.

Type: OpenClaw Skill Name: smarter-content Version: 1.1.0 The skill bundle contains significant command injection vulnerabilities in `scripts/content-generator.js` and `scripts/style-mimic.js` due to the use of `execSync` with unsanitized string interpolation for content and URLs. While these flaws allow for potential Remote Code Execution (RCE), the overall logic appears functional and aligned with the stated purpose of content generation and style analysis. No evidence of intentional data exfiltration, persistence, or malicious backdoors was found, placing it in the 'suspicious' category rather than 'malicious'.