自媒体文案生成器

一键生成多平台爆款文案 - 小红书/抖音/公众号/知乎

What to consider before installing or running this skill: - The code contains a hard-coded API key and a remote LLM endpoint (dashscope.aliyuncs.com). That key is embedded in src/generator.py even though the skill metadata declares no required credentials. Hard-coded credentials are risky: they may be leaked, revoked, or abused by whoever controls the key. - In normal CLI usage (generate.py creates CopywriterGenerator() with client=None) the generator falls back to local mock templates and will not call the network. However the repository includes a network-call path that will send prompts/contents to the third-party service if the generator is used with a client or if the code is modified to enable that path. The SKILL.md does not clearly disclose this network behavior. - If you plan to run this skill: - Inspect src/generator.py and confirm whether you want outbound calls. If you do not want network calls, keep the default (do not pass a client) — the CLI uses mock generation by default. - Remove the hard-coded API key from the repository and never run code that contains embedded secrets. Ask the author why a key is present and request that real credentials be supplied via environment variables (and that the code read them), or replace the key with your own and store it securely. - Treat any content you send as potentially visible to the third-party LLM provider. Avoid sending sensitive or private data. - Prefer a vetted LLM integration (where the skill expects an env var like DASHSCOPE_API_KEY) or run entirely offline/mock mode if you want no network exposure. - Questions to ask the author before installing: Why is there a hard-coded API key? Why does SKILL.md/metadata not list the LLM API requirement? Will future versions require network access by default? Given these inconsistencies, the skill is coherent with its copywriting purpose but contains a suspicious credential/remote-call footprint that the user should resolve or confirm before trusting the package.

Type: OpenClaw Skill Name: social-media-copywriter-generator Version: 0.1.0 The skill is classified as suspicious primarily due to a hardcoded LLM API key found in `src/generator.py` (`sk-sp-1f1d92cdff7d4cbd8dcbe1cd08711606` for dashscope.aliyuncs.com). While this key is used for the skill's stated purpose (interacting with an LLM), hardcoding credentials is a significant secrets management vulnerability. Additionally, the skill makes outbound network calls to an external LLM service, and its design allows user input to be directly incorporated into the LLM's prompt, creating a potential prompt injection vector against the underlying AI agent, which is a common vulnerability in LLM-powered applications.