← Back to Skills Marketplace
75
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install poetry-daily-art
Description
Generate daily Chinese classical poetry art cards — AI-generated landscape painting paired with poem text, delivered to chat. Use when the user asks for poet...
Usage Guidance
Before installing, ask the author to: (1) remove or parameterize hardcoded absolute paths (use a workspace or env variable instead of /Users/hwang/...), (2) explicitly declare the required credentials and environment variables (e.g., MINIMAX_API_KEY, TELEGRAM_TOKEN) in the skill metadata, (3) avoid searching general memory/*.md files (or document and limit exactly which files are read) because those may contain sensitive notes, (4) document the exact delivery mechanism and any third-party CLI (mmx) including where to obtain it and why it is trusted, and (5) test in a sandboxed account to confirm behavior. If the author provides a corrected version that uses relative/parameterized paths, declares env vars, and limits file access, the assessment would likely move to benign. Right now the inconsistencies and potential privacy exposures make the skill suspicious.
Capability Analysis
Type: OpenClaw Skill
Name: poetry-daily-art
Version: 1.0.0
The skill contains a shell injection vulnerability in `scripts/generate_image.sh` because the `POEM_TITLE` variable is interpolated into a double-quoted string used in a command without sanitization, potentially allowing arbitrary code execution if the source data is compromised. Furthermore, the script uses hardcoded absolute paths to a specific user's home directory (`/Users/hwang/`), which is a significant security risk and suggests the code was not designed for general use. It also extracts data from the agent's memory files to send to an external API (MiniMax), which could lead to unintentional data exfiltration.
Capability Assessment
Purpose & Capability
The skill's name/description (generate poem art cards) matches the included script and instructions: they build an image prompt from a poem title, generate an image via an image CLI, and send it as a message. However the SKILL.md advertises use with a cron and a 'message' tool (Telegram delivery) and mentions MiniMax; those required credentials/tools are not declared in the skill metadata. This is a mismatch between declared requirements (none) and what the skill actually needs.
Instruction Scope
SKILL.md says to read data/poem_study_progress.json (relative) and archive/poem/, but the script hardcodes absolute paths under /Users/hwang/.openclaw/workspace (progress file, memory/*.md, output dir). The script also falls back to scanning memory markdown files (memory/*.md) to find poem titles — that can read arbitrary user notes. These file accesses go beyond the documented relative paths and may expose unrelated sensitive user data.
Install Mechanism
There is no install spec (instruction-only) which is low risk for supply-chain downloads. The script requires an external CLI ('mmx') and instructs 'npm install -g mmx-cli' as a prerequisite in SKILL.md, but this is not enforced or declared in metadata. Lack of an explicit install step is acceptable, but the skill depends on an external, third-party CLI (mmx) and its trustworthiness should be validated by the user.
Credentials
The skill metadata declares no required environment variables or credentials, yet SKILL.md and the script require a MiniMax API/CLI and imply a MiniMax API key and a messaging transport (Telegram) for delivery. The script also reads files from a specific user's workspace (absolute /Users/hwang/...), which is a disproportionate and user-specific access pattern. Required secrets (MiniMax API key, Telegram token) should be declared and justified; currently they are missing.
Persistence & Privilege
The skill is not marked 'always:true' and does not modify other skills or system-wide settings. It writes output files to a workspace directory and removes previous images; this is expected for an image-generation helper and does not indicate elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install poetry-daily-art - After installation, invoke the skill by name or use
/poetry-daily-art - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- First release: Generate daily Chinese classical poetry art cards combining AI-generated landscape paintings with full poem texts.
- Delivers visually styled images and formatted captions through chat.
- Automatically selects today's poem based on study progress.
- Integrates cron scheduling for daily automated delivery.
- Ensures image style and caption formatting match the poem's tone and content.
Metadata
Frequently Asked Questions
What is Poetry Daily Art?
Generate daily Chinese classical poetry art cards — AI-generated landscape painting paired with poem text, delivered to chat. Use when the user asks for poet... It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.
How do I install Poetry Daily Art?
Run "/install poetry-daily-art" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Poetry Daily Art free?
Yes, Poetry Daily Art is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Poetry Daily Art support?
Poetry Daily Art is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Poetry Daily Art?
It is built and maintained by lava-lake (@lava-lake); the current version is v1.0.0.
More Skills