← 返回 Skills 市场
robinzhang

朋友圈4宫格卡片

作者 robinzhang · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
432
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install moments-grid
功能描述
输入主题方向,自动生成微信朋友圈文案+4张教程卡片图片
安全使用建议
Do not install or run this skill unless you trust the author and understand the risks. Specific concerns: (1) the script contains a hard-coded third-party API key and will send your topics to https://api.minimaxi.com rather than using an OpenAI key you provide; this can leak prompts and any sensitive content you include; (2) required runtime dependencies (Playwright/Chromium, httpx/requests) are not declared — the skill may fail or trigger large automatic installs; (3) the SKILL.md is inaccurate about where the generation happens. Recommended actions before using: ask the author to remove the embedded API key and instead use a documented environment variable under your control; require explicit disclosure of the external service and its privacy policy; add an install spec or dependency list for Playwright/Chromium; or review and run the script in a sandboxed environment. If you cannot verify these changes, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill Name: moments-grid Version: 1.0.1 The skill is classified as suspicious due to several significant vulnerabilities in `scripts/generate.py`. It hardcodes a MiniMax API key, exposing a sensitive credential. Furthermore, the script is vulnerable to LLM prompt injection, as user input (`topic`) is directly embedded into the prompt sent to the MiniMax API. There is also a potential HTML/CSS injection vulnerability, as LLM-generated content is directly inserted into an HTML template rendered by Playwright, which could be exploited if the LLM generates malicious markup. While these are serious flaws, there is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
能力评估
Purpose & Capability
The SKILL.md says the skill requires the user's OpenAI API key, but the implementation does not use OpenAI — it calls a third‑party MiniMax API with a hard-coded API key. The code also relies on Playwright/Chromium to render images, but the skill metadata declares no binaries or install steps. These mismatches suggest the runtime behavior is not what the user is told.
Instruction Scope
SKILL.md limits scope to generating copy and images, but the script sends the user's topic to an external API (https://api.minimaxi.com/...) using an embedded credential. The README does not disclose this network destination or that the developer-supplied key will be used instead of the user's key, so user data may be transmitted to an unexpected third party.
Install Mechanism
There is no install spec, yet the script imports and uses Playwright (and launches a browser), plus requests/httpx. Those are non-trivial dependencies (Playwright requires installing Chromium). The absence of declared installs or required binaries is a mismatch and will lead to runtime failures or implicit installs outside the user's control.
Credentials
The skill declares no required environment variables, but the code embeds a long-looking API key constant. This provides the skill author (or whoever controls that key) access to all prompts sent to the service. The SKILL.md telling users to provide an OpenAI key is misleading and gives a false sense of control over where data goes.
Persistence & Privilege
The skill does not request always:true or modify system/other-skill configs. However, because it will transmit user-supplied topics to an externally controlled API using an embedded credential, autonomous invocation increases the potential blast radius — prompts sent automatically could be collected by the third party.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install moments-grid
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /moments-grid 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- No changes detected in this version; documentation and functionality remain the same.
v1.0.0
Initial release of 朋友圈4宫格卡片: - 输入主题,自动生成微信朋友圈文案与4张教程卡片图片 - 支持如“滤网更换教程”“做蛋炒饭”等多种主题 - 输出内容适合直接发布到朋友圈 - 需要配置 OpenAI API Key 才能使用
元数据
Slug moments-grid
版本 1.0.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

朋友圈4宫格卡片 是什么?

输入主题方向,自动生成微信朋友圈文案+4张教程卡片图片. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 432 次。

如何安装 朋友圈4宫格卡片?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install moments-grid」即可一键安装,无需额外配置。

朋友圈4宫格卡片 是免费的吗?

是的,朋友圈4宫格卡片 完全免费(开源免费),可自由下载、安装和使用。

朋友圈4宫格卡片 支持哪些平台?

朋友圈4宫格卡片 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 朋友圈4宫格卡片?

由 robinzhang(@robinzhang)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论