← 返回 Skills 市场
549
总下载
0
收藏
2
当前安装
26
版本数
在 OpenClaw 中安装
/install quotly-style-sticker
功能描述
Generate QuotLy-style stickers from forwarded messages and return one MEDIA path for auto-send. Use when users ask to create quote stickers from selected for...
安全使用建议
This skill will send the forwarded/quoted message text (and any avatar/status URLs you include) to an external rendering API to produce a sticker. That behavior is explicit in SKILL.md and the script includes SSRF protections, response size limits, and an optional allowlist. If the messages are privacy-sensitive, only use a trusted rendering endpoint or set QUOTLY_API_ALLOW_HOSTS to restrict which hosts can be contacted. Consider enabling QUOTLY_AUDIT_LOG for monitoring, and run the skill in an isolated environment if you need stronger data protection.
功能分析
Type: OpenClaw Skill
Name: quotly-style-sticker
Version: 1.4.3
This skill is designed to generate stickers by sending user-provided message content to an external API. The `scripts/openclaw_quote_autoreply.py` script implements robust SSRF protection for the main API endpoint via `_sanitize_api_url`, including hostname validation, DNS rebinding checks, and path traversal prevention. User-provided `avatar_url` and `status_url` are also sanitized by `_sanitize_avatar_for_renderer` to only allow `https` or `data:image/` schemes without credentials, mitigating direct SSRF risks from these inputs. The `SKILL.md` explicitly documents the external API interaction and warns about user-provided URLs, demonstrating transparency. There is no evidence of malicious intent, data exfiltration, persistence mechanisms, or harmful prompt injection attempts against the agent.
能力评估
Purpose & Capability
Name/description (QuotLy-style sticker generator) match the included script and SKILL.md. The skill requires no credentials, no binaries, and only optionally uses QUOTLY_API_URL/ALLOW_HOSTS/AUDIT_LOG for contacting an external rendering service — all appropriate for this functionality.
Instruction Scope
Runtime instructions are narrowly scoped: run the provided Python script with a JSON payload containing selected_messages. The script sends message text and optional avatar/status URLs to an external API (explicitly documented). That network behavior is expected for a remote-rendering service, but it does mean user message content (and any avatar/status URLs included) will be transmitted to the remote service.
Install Mechanism
No install spec and no external downloads; the skill is instruction-only with a bundled Python script. This is low-risk from an installation perspective.
Credentials
No required environment variables or credentials. Optional env vars (QUOTLY_API_URL, QUOTLY_API_ALLOW_HOSTS, QUOTLY_AUDIT_LOG, QUOTLY_DEDUP_WINDOW_SECONDS) are reasonable for configuring the remote API, allowlist, and auditing. Because the API URL is configurable, operators should set QUOTLY_API_ALLOW_HOSTS in sensitive environments to avoid contacting arbitrary hosts.
Persistence & Privilege
The skill does not request persistent presence (always=false) and does not modify other skills or system-level config. It runs as a transient script and uses normal agent invocation behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install quotly-style-sticker - 安装完成后,直接呼叫该 Skill 的名称或使用
/quotly-style-sticker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.3
Patch: document dedupe key input and update sample payload/prompt
v1.4.2
Patch: suppress duplicate retries within a configurable dedupe window
v1.4.1
Patch release
v1.4.0
Add automatic entity styling
v1.3.0
Add automatic entity styling for URLs, mentions, hashtags, markdown
v1.2.1
Add automatic entity styling for URLs, mentions, hashtags, markdown
v1.2.0
Add automatic entity styling: URLs, mentions, hashtags, markdown bold/italic/code are auto-detected when no entities provided
v1.1.2
Change python to python3 in SKILL.md documentation
v1.1.1
Commented out stdout prints, use MEDIA path from return value only
v1.1.0
Security enhancement: DNS rebinding protection, path traversal prevention, request size limits (1MB/10MB), audit logging, URL credential stripping
v1.0.15
Enhanced SSRF protection: DNS rebinding defense, path traversal prevention, request size limits, audit logging
v1.0.14
Bug fixes and improvements
v1.0.13
Avoid duplicate sticker sends on channels with tool-media auto-delivery by requiring text-only final reply (no MEDIA line).
v1.0.12
Deduplicate merged message items to avoid double stickers and prioritize forwarded source identity over sender/global defaults.
v1.0.11
Default output to OpenClaw temp roots and keep workspace fallback, reducing LocalMediaAccessError for Telegram final reply.
v1.0.10
Fix multi-message extraction to keep separate bubbles instead of merged text
v1.0.9
Fix auto canvas sizing and English confirmation output
v1.0.8
Security update: inline sensitive-query avatar URLs as data URLs instead of forwarding signed URLs to renderer
v1.0.7
Set safer defaults: disable Telegram avatar lookup and remote avatar URLs by default
v1.0.6
Refactor SKILL structure for human vs agent guidance; move risk controls to environment variables with skills-config examples; tighten avatar URL safety rules
元数据
常见问题
Quotly Style Sticker 是什么?
Generate QuotLy-style stickers from forwarded messages and return one MEDIA path for auto-send. Use when users ask to create quote stickers from selected for... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 549 次。
如何安装 Quotly Style Sticker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install quotly-style-sticker」即可一键安装,无需额外配置。
Quotly Style Sticker 是免费的吗?
是的,Quotly Style Sticker 完全免费(开源免费),可自由下载、安装和使用。
Quotly Style Sticker 支持哪些平台?
Quotly Style Sticker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Quotly Style Sticker?
由 sakullla(@sakullla)开发并维护,当前版本 v1.4.3。
推荐 Skills