← Back to Skills Marketplace
朋友圈4宫格卡片
by
robinzhang
· GitHub ↗
· v1.0.1
432
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install moments-grid
Description
输入主题方向,自动生成微信朋友圈文案+4张教程卡片图片
Usage Guidance
Do not install or run this skill unless you trust the author and understand the risks. Specific concerns: (1) the script contains a hard-coded third-party API key and will send your topics to https://api.minimaxi.com rather than using an OpenAI key you provide; this can leak prompts and any sensitive content you include; (2) required runtime dependencies (Playwright/Chromium, httpx/requests) are not declared — the skill may fail or trigger large automatic installs; (3) the SKILL.md is inaccurate about where the generation happens. Recommended actions before using: ask the author to remove the embedded API key and instead use a documented environment variable under your control; require explicit disclosure of the external service and its privacy policy; add an install spec or dependency list for Playwright/Chromium; or review and run the script in a sandboxed environment. If you cannot verify these changes, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: moments-grid
Version: 1.0.1
The skill is classified as suspicious due to several significant vulnerabilities in `scripts/generate.py`. It hardcodes a MiniMax API key, exposing a sensitive credential. Furthermore, the script is vulnerable to LLM prompt injection, as user input (`topic`) is directly embedded into the prompt sent to the MiniMax API. There is also a potential HTML/CSS injection vulnerability, as LLM-generated content is directly inserted into an HTML template rendered by Playwright, which could be exploited if the LLM generates malicious markup. While these are serious flaws, there is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
Capability Assessment
Purpose & Capability
The SKILL.md says the skill requires the user's OpenAI API key, but the implementation does not use OpenAI — it calls a third‑party MiniMax API with a hard-coded API key. The code also relies on Playwright/Chromium to render images, but the skill metadata declares no binaries or install steps. These mismatches suggest the runtime behavior is not what the user is told.
Instruction Scope
SKILL.md limits scope to generating copy and images, but the script sends the user's topic to an external API (https://api.minimaxi.com/...) using an embedded credential. The README does not disclose this network destination or that the developer-supplied key will be used instead of the user's key, so user data may be transmitted to an unexpected third party.
Install Mechanism
There is no install spec, yet the script imports and uses Playwright (and launches a browser), plus requests/httpx. Those are non-trivial dependencies (Playwright requires installing Chromium). The absence of declared installs or required binaries is a mismatch and will lead to runtime failures or implicit installs outside the user's control.
Credentials
The skill declares no required environment variables, but the code embeds a long-looking API key constant. This provides the skill author (or whoever controls that key) access to all prompts sent to the service. The SKILL.md telling users to provide an OpenAI key is misleading and gives a false sense of control over where data goes.
Persistence & Privilege
The skill does not request always:true or modify system/other-skill configs. However, because it will transmit user-supplied topics to an externally controlled API using an embedded credential, autonomous invocation increases the potential blast radius — prompts sent automatically could be collected by the third party.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install moments-grid - After installation, invoke the skill by name or use
/moments-grid - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- No changes detected in this version; documentation and functionality remain the same.
v1.0.0
Initial release of 朋友圈4宫格卡片:
- 输入主题,自动生成微信朋友圈文案与4张教程卡片图片
- 支持如“滤网更换教程”“做蛋炒饭”等多种主题
- 输出内容适合直接发布到朋友圈
- 需要配置 OpenAI API Key 才能使用
Metadata
Frequently Asked Questions
What is 朋友圈4宫格卡片?
输入主题方向,自动生成微信朋友圈文案+4张教程卡片图片. It is an AI Agent Skill for Claude Code / OpenClaw, with 432 downloads so far.
How do I install 朋友圈4宫格卡片?
Run "/install moments-grid" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 朋友圈4宫格卡片 free?
Yes, 朋友圈4宫格卡片 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does 朋友圈4宫格卡片 support?
朋友圈4宫格卡片 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 朋友圈4宫格卡片?
It is built and maintained by robinzhang (@robinzhang); the current version is v1.0.1.
More Skills