← 返回 Skills 市场
75
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install poetry-daily-art
功能描述
Generate daily Chinese classical poetry art cards — AI-generated landscape painting paired with poem text, delivered to chat. Use when the user asks for poet...
安全使用建议
Before installing, ask the author to: (1) remove or parameterize hardcoded absolute paths (use a workspace or env variable instead of /Users/hwang/...), (2) explicitly declare the required credentials and environment variables (e.g., MINIMAX_API_KEY, TELEGRAM_TOKEN) in the skill metadata, (3) avoid searching general memory/*.md files (or document and limit exactly which files are read) because those may contain sensitive notes, (4) document the exact delivery mechanism and any third-party CLI (mmx) including where to obtain it and why it is trusted, and (5) test in a sandboxed account to confirm behavior. If the author provides a corrected version that uses relative/parameterized paths, declares env vars, and limits file access, the assessment would likely move to benign. Right now the inconsistencies and potential privacy exposures make the skill suspicious.
功能分析
Type: OpenClaw Skill
Name: poetry-daily-art
Version: 1.0.0
The skill contains a shell injection vulnerability in `scripts/generate_image.sh` because the `POEM_TITLE` variable is interpolated into a double-quoted string used in a command without sanitization, potentially allowing arbitrary code execution if the source data is compromised. Furthermore, the script uses hardcoded absolute paths to a specific user's home directory (`/Users/hwang/`), which is a significant security risk and suggests the code was not designed for general use. It also extracts data from the agent's memory files to send to an external API (MiniMax), which could lead to unintentional data exfiltration.
能力评估
Purpose & Capability
The skill's name/description (generate poem art cards) matches the included script and instructions: they build an image prompt from a poem title, generate an image via an image CLI, and send it as a message. However the SKILL.md advertises use with a cron and a 'message' tool (Telegram delivery) and mentions MiniMax; those required credentials/tools are not declared in the skill metadata. This is a mismatch between declared requirements (none) and what the skill actually needs.
Instruction Scope
SKILL.md says to read data/poem_study_progress.json (relative) and archive/poem/, but the script hardcodes absolute paths under /Users/hwang/.openclaw/workspace (progress file, memory/*.md, output dir). The script also falls back to scanning memory markdown files (memory/*.md) to find poem titles — that can read arbitrary user notes. These file accesses go beyond the documented relative paths and may expose unrelated sensitive user data.
Install Mechanism
There is no install spec (instruction-only) which is low risk for supply-chain downloads. The script requires an external CLI ('mmx') and instructs 'npm install -g mmx-cli' as a prerequisite in SKILL.md, but this is not enforced or declared in metadata. Lack of an explicit install step is acceptable, but the skill depends on an external, third-party CLI (mmx) and its trustworthiness should be validated by the user.
Credentials
The skill metadata declares no required environment variables or credentials, yet SKILL.md and the script require a MiniMax API/CLI and imply a MiniMax API key and a messaging transport (Telegram) for delivery. The script also reads files from a specific user's workspace (absolute /Users/hwang/...), which is a disproportionate and user-specific access pattern. Required secrets (MiniMax API key, Telegram token) should be declared and justified; currently they are missing.
Persistence & Privilege
The skill is not marked 'always:true' and does not modify other skills or system-wide settings. It writes output files to a workspace directory and removes previous images; this is expected for an image-generation helper and does not indicate elevated privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install poetry-daily-art - 安装完成后,直接呼叫该 Skill 的名称或使用
/poetry-daily-art触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- First release: Generate daily Chinese classical poetry art cards combining AI-generated landscape paintings with full poem texts.
- Delivers visually styled images and formatted captions through chat.
- Automatically selects today's poem based on study progress.
- Integrates cron scheduling for daily automated delivery.
- Ensures image style and caption formatting match the poem's tone and content.
元数据
常见问题
Poetry Daily Art 是什么?
Generate daily Chinese classical poetry art cards — AI-generated landscape painting paired with poem text, delivered to chat. Use when the user asks for poet... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 75 次。
如何安装 Poetry Daily Art?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install poetry-daily-art」即可一键安装,无需额外配置。
Poetry Daily Art 是免费的吗?
是的,Poetry Daily Art 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Poetry Daily Art 支持哪些平台?
Poetry Daily Art 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Poetry Daily Art?
由 lava-lake(@lava-lake)开发并维护,当前版本 v1.0.0。
推荐 Skills