xhs-auto-content-by-hot

自动获取百度热搜话题，生成小红书文案并调用Seedream-4.5生成封面及配图，输出完整内容包。

This skill appears to implement the advertised workflow, but it asks you to paste your Seedream/ByteDance API key directly into scripts/generate.py — do NOT store secrets in source. Before installing or running: (1) inspect and, if needed, modify generate.py so it reads the API key from an environment variable or a protected config file instead of embedding it; (2) verify the Seedream API endpoint (ark.cn-beijing.volces.com) is the legitimate service you expect; (3) run the script in an isolated environment (container or VM) because it writes files under /root/.openclaw/workspace and makes outbound HTTP requests; (4) remove or ask the author to explain the unicode control characters in SKILL.md; (5) ensure Python and the requests package are present and consider reviewing/downloaded image URLs before following them. If you cannot confirm the endpoint or the control-characters explanation, treat this skill as risky and avoid providing high-privilege or reusable secrets.

Type: OpenClaw Skill Name: xhs-auto-content-by-hot Version: 1.0.0 The skill instructs the AI agent in SKILL.md to solicit a sensitive API key from the user and programmatically write it into the 'scripts/generate.py' source file. This is a highly insecure practice that leads to hardcoded credentials and creates a significant risk of Remote Code Execution (RCE) if the agent fails to sanitize the user-provided input before modifying the Python script. While the script's logic for fetching Baidu trends and calling the Volcengine API (ark.cn-beijing.volces.com) appears legitimate, the automated code-modification pattern is a major security flaw.