← Back to Skills Marketplace
588
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install social-media-copywriter-generator
Description
一键生成多平台爆款文案 - 小红书/抖音/公众号/知乎
Usage Guidance
What to consider before installing or running this skill:
- The code contains a hard-coded API key and a remote LLM endpoint (dashscope.aliyuncs.com). That key is embedded in src/generator.py even though the skill metadata declares no required credentials. Hard-coded credentials are risky: they may be leaked, revoked, or abused by whoever controls the key.
- In normal CLI usage (generate.py creates CopywriterGenerator() with client=None) the generator falls back to local mock templates and will not call the network. However the repository includes a network-call path that will send prompts/contents to the third-party service if the generator is used with a client or if the code is modified to enable that path. The SKILL.md does not clearly disclose this network behavior.
- If you plan to run this skill:
- Inspect src/generator.py and confirm whether you want outbound calls. If you do not want network calls, keep the default (do not pass a client) — the CLI uses mock generation by default.
- Remove the hard-coded API key from the repository and never run code that contains embedded secrets. Ask the author why a key is present and request that real credentials be supplied via environment variables (and that the code read them), or replace the key with your own and store it securely.
- Treat any content you send as potentially visible to the third-party LLM provider. Avoid sending sensitive or private data.
- Prefer a vetted LLM integration (where the skill expects an env var like DASHSCOPE_API_KEY) or run entirely offline/mock mode if you want no network exposure.
- Questions to ask the author before installing: Why is there a hard-coded API key? Why does SKILL.md/metadata not list the LLM API requirement? Will future versions require network access by default?
Given these inconsistencies, the skill is coherent with its copywriting purpose but contains a suspicious credential/remote-call footprint that the user should resolve or confirm before trusting the package.
Capability Analysis
Type: OpenClaw Skill
Name: social-media-copywriter-generator
Version: 0.1.0
The skill is classified as suspicious primarily due to a hardcoded LLM API key found in `src/generator.py` (`sk-sp-1f1d92cdff7d4cbd8dcbe1cd08711606` for dashscope.aliyuncs.com). While this key is used for the skill's stated purpose (interacting with an LLM), hardcoding credentials is a significant secrets management vulnerability. Additionally, the skill makes outbound network calls to an external LLM service, and its design allows user input to be directly incorporated into the LLM's prompt, creating a potential prompt injection vector against the underlying AI agent, which is a common vulnerability in LLM-powered applications.
Capability Assessment
Purpose & Capability
Name/description and most files align with a copywriting generator. However the repository contains a direct LLM call implementation (_call_llm) with a hard-coded API key and a dashscope.aliyuncs.com endpoint, while the skill metadata declares no required env vars/credentials and SKILL.md implies a mock/default local behavior. The presence of a hard-coded third‑party API key is disproportionate to the declared 'no credentials' requirement and is inconsistent with documentation that suggests using an environment variable.
Instruction Scope
SKILL.md and CLI examples only show running generate.py and describe mock/local generation; they do not warn about sending prompts/content to an external LLM. In code, the CopywriterGenerator only calls the network path when a non-null client is provided (so default CLI usage uses local mock templates), but the codebase contains a full network-call path that will send user inputs to a remote service if invoked. That network activity is not documented in SKILL.md nor declared in the skill's requirements.
Install Mechanism
No install spec (instruction-only skill) and no external package downloads, which lowers installation risk. The code uses only Python standard library (urllib) so nothing is pulled at install time. Still, running the code can perform outbound network requests if the LLM-call path is activated.
Credentials
Registry metadata lists no required environment variables, but tech docs elsewhere reference DASHSCOPE_API_KEY and the code contains a hard-coded API key string. That mismatch is problematic: the skill asks for no secrets but embeds a credential and will call a third-party endpoint when the network path is used. This is disproportionate and inconsistent with the declared requirements.
Persistence & Privilege
The skill is not marked always:true, does not request elevated agent-level persistence, and it does not modify other skills or system-wide config. It is user-invocable only by default.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install social-media-copywriter-generator - After installation, invoke the skill by name or use
/social-media-copywriter-generator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
自媒体文案生成器 0.1.0 首发:
- 支持一键生成小红书、抖音、公众号、知乎多平台文案
- 可定制语气、长度、目标受众、关键词等
- 智能推荐标签,支持只生成标题或关闭标签
- 命令行参数丰富,详细用法和输出格式说明
- MVP 核心功能已上线,部分优化与测试开发中
Metadata
Frequently Asked Questions
What is 自媒体文案生成器?
一键生成多平台爆款文案 - 小红书/抖音/公众号/知乎. It is an AI Agent Skill for Claude Code / OpenClaw, with 588 downloads so far.
How do I install 自媒体文案生成器?
Run "/install social-media-copywriter-generator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 自媒体文案生成器 free?
Yes, 自媒体文案生成器 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does 自媒体文案生成器 support?
自媒体文案生成器 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 自媒体文案生成器?
It is built and maintained by xiaomo (@bandwe); the current version is v0.1.0.
More Skills