Zhy Article Illustrator

Use when illustrating a Markdown article with high-finish editorial visuals, visual-bible planning, structured prompts, optional Qiniu upload, and inserted i...

Key things to consider before installing or running: - Metadata omission: the registry entry says "no required env vars" but the scripts expect many API keys (IMAGE_*, GEMINI_API_KEY/GOOGLE_API_KEY, OPENAI_API_KEY) and optional QINIU_* credentials. Do not supply any secrets until you confirm which provider and endpoint you intend to use. - Default third‑party endpoint: the code includes a non-official default image base URL (https://vip.123everything.com/v1beta). If you do not explicitly set IMAGE_BASE_URL/XIAOMI_BASE_URL or provider to an official endpoint, the skill may contact that host. If you plan to use this skill, set image provider and base URL to your trusted provider (official Gemini/OpenAI/Xiaomi endpoints) and verify the endpoint before supplying API keys. - .env and config reading: the scripts will read a .env in the skill run directory and will search upward for .zhy-illustrator.yml (it walks parent directories). Ensure no sensitive credentials or private config files are in parent directories you don't expect the skill to read. - Qiniu upload: uploading images requires QINIU_ACCESS_KEY / QINIU_SECRET_KEY etc. Only provide these if you intend to use upload and you trust the run environment. The upload code uses standard HMAC signing logic; still treat these values as sensitive. - Run in a controlled environment first: test with a throwaway article and with no API keys (or with keys restricted to test accounts) to observe outbound requests. Prefer running inside an isolated/sandboxed environment if you will provide real API keys. - If you need to trust this skill: inspect and optionally edit the code to remove or change the default base URL, and explicitly add required env vars to the skill metadata before granting access. I have medium confidence in this assessment because the code is readable and not obfuscated, but some runtime behavior depends on environment configuration (which affects risk) and the presence of the non-official default endpoint makes the intent ambiguous. Additional confirmation (author identity, repository source, and intended default endpoints) would increase confidence.

Type: OpenClaw Skill Name: zhy-article-illustrator Version: 0.1.0 The skill bundle is a legitimate and well-structured tool designed to automate the illustration of Markdown articles using AI image generators (Gemini, OpenAI) and Qiniu Cloud for image hosting. It includes scripts for article analysis, visual style planning (visual-bible), structured prompt generation, and automated uploading. While the code contains a hardcoded default API relay URL (vip.123everything.com) for the 'Xiaomi' provider, this is documented as a functional requirement for that specific service and does not appear to be an intentional exfiltration backdoor. The scripts handle sensitive API keys from environment variables in a standard manner, and no evidence of malicious intent, prompt injection, or unauthorized data access was found across the files (SKILL.md, illustrate-article.ts, image-gen.ts, etc.).