← 返回 Skills 市场
Reddit Quote Carousel Topaz
作者
psyduckler
· GitHub ↗
· v1.0.0
728
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install reddit-quote-topaz
功能描述
Create an Instagram carousel from a popular-picks list with Reddit quotes + Topaz 2x upscaling. Cover = "clean" style ("Top CATEGORY in Destination"), attrac...
安全使用建议
Do not install or grant this skill full autonomy until the author clarifies and fixes the mismatches. Questions / actions to request before proceeding: 1) Declare exactly which credentials/configs are required (Topaz API key, Instagram Graph API token, instagram-account-id, and any Git credentials) and the expected mechanism (env vars vs Keychain). 2) Remove or explain the hardcoded local path (/Users/psy/...) and provide a portable overlay tool or a dependency list/install instructions. 3) Confirm target repository and whether the skill will push to a public repo; require explicit git credentials and least-privilege tokens. 4) Note the platform assumption (macOS Keychain use) and either add an alternative for other OSes or restrict OS support in metadata. 5) If you must use this skill, run it in a sandboxed agent and avoid giving it a long‑lived Instagram token with publish scope — use a short‑lived/test account and review activity logs. 6) Consider disabling autonomous invocation (require manual approval) until you trust the behavior. If the author cannot or will not address these issues, treat the skill as risky and do not provide it access to your Keychain or publish tokens.
功能分析
Type: OpenClaw Skill
Name: reddit-quote-topaz
Version: 1.0.0
The skill bundle is classified as suspicious due to two primary risky capabilities, even though there is no clear evidence of intentional malicious behavior. First, the `popular_picks_url` parameter is user-controlled and directly fed to `web_fetch` without explicit sanitization or validation instructions, creating a potential Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI) vulnerability if the `web_fetch` function is not robustly secured. Second, the skill includes instructions for `git push` operations to host images, which implies the agent has broad write permissions to a repository. While these actions are plausibly needed for the stated purpose of creating Instagram carousels, they represent significant attack surfaces if the agent's environment or input handling is not perfectly secure.
能力评估
Purpose & Capability
The skill's name/description (Reddit quotes + Topaz upscale → Instagram carousel) is coherent with instructions to fetch a popular‑picks page, find photos, run Topaz, overlay text, and publish. However, the SKILL.md presumes access to macOS Keychain entries, an Instagram Graph API token, and push access to a 'tabiji' repo — none of which are declared in the registry metadata. Also it references a hardcoded, user‑specific script path (/Users/psy/.openclaw/...) which is not portable or declared.
Instruction Scope
Instructions do more than simple image composition: they read secrets from macOS Keychain via the security CLI, download and upload images to Topaz Labs, use a local python overlay script at a specific user path, and git‑push files to a repo. They therefore access local secrets, local filesystem paths, and external services beyond just reading the provided popular_picks_url. The skill also assumes tools like curl, jq, git and python are present and that the runtime can access Keychain and a particular project workspace.
Install Mechanism
This is an instruction‑only skill with no install spec or code files, so nothing will be written to disk by an installer. That lowers install risk. The runtime still instructs downloading/uploading images and calling external APIs (Topaz and GitHub raw URLs) which are normal for this purpose.
Credentials
The registry lists no required environment variables or config paths, but the SKILL.md explicitly expects macOS Keychain items (topaz-api-key, instagram-access-token, instagram-account-id) and uses them to call Topaz and the Instagram Graph API and to publish posts. It also expects push access to the tabiji repo. Sensitive credentials are used but not declared — a clear mismatch and disproportionate for an install that advertised no required secrets.
Persistence & Privilege
The skill does not request 'always: true', but its instructions include publishing directly to Instagram (using an access token) and pushing hosted images to a repository. If the agent can invoke this skill autonomously (default), it could publish content on behalf of the user. Combined with the undeclared credentials and Keychain access, this increases the blast radius and warrants caution.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install reddit-quote-topaz - 安装完成后,直接呼叫该 Skill 的名称或使用
/reddit-quote-topaz触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Reddit Quote Carousel Topaz 是什么?
Create an Instagram carousel from a popular-picks list with Reddit quotes + Topaz 2x upscaling. Cover = "clean" style ("Top CATEGORY in Destination"), attrac... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 728 次。
如何安装 Reddit Quote Carousel Topaz?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install reddit-quote-topaz」即可一键安装,无需额外配置。
Reddit Quote Carousel Topaz 是免费的吗?
是的,Reddit Quote Carousel Topaz 完全免费(开源免费),可自由下载、安装和使用。
Reddit Quote Carousel Topaz 支持哪些平台?
Reddit Quote Carousel Topaz 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Reddit Quote Carousel Topaz?
由 psyduckler(@psyduckler)开发并维护,当前版本 v1.0.0。
推荐 Skills