by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's files and declared optional integrations largely match a content-marketing purpose, but contradictions in the metadata about network behavior and the presence of install/build/test shell scripts (which the README instructs users to run) create a risk surface that deserves manual review before installation or providing any API keys.
评估建议
This package mostly looks like a coherent content-marketing 'box', but take these precautions before using it: 1) Do not run install.sh, build.sh, or test scripts on your main machine without reading them line-by-line — inspect install.sh and test/smoke-test.sh for any network calls, credential uploads, or destructive commands. 2) Treat optional API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN, GOOGLE_SHEETS_CREDENTIALS_JSON, GETRESPONSE_API_KEY, UNISENDER_API_KEY) as sensitive: o...详细分析 ▾
ℹ 用途与能力
The skill claims to be a full-cycle content-marketing system and the included files (SKILL.md, config.yaml, examples, integration-related optional env names) are consistent with that purpose: OpenAI/Anthropic keys for generation, TELEGRAM_BOT_TOKEN/CHAT_ID for posting, Google Sheets and GetResponse/Unisender for analytics/email. Nothing in the file manifest obviously requests unrelated cloud provider credentials or system‑level admin access.
⚠ 指令范围
SKILL.md / README instructs the user to run install.sh and test/smoke-test.sh and to fill config.yaml; the bundle includes install/build/test shell scripts. Running those scripts will execute code on the host and may perform network calls or modify files; the README suggests invoking them as part of setup. The runtime instructions do not (in the provided excerpts) direct reading arbitrary unrelated system files, but the presence of shell scripts means local execution risk exists and requires inspection before running.
ℹ 安装机制
There is no external install spec (good: nothing is fetched from an external URL at install time), but the package includes install.sh and build.sh which are intended to be executed locally. build.sh and smoke-test run archive and test workflows; their contents appear ordinary, but install.sh and test/smoke-test.sh were not shown in full here — executing them without review is risky because they can run arbitrary shell commands.
ℹ 凭证需求
The SKILL.md lists many optional environment variables (Anthropic/OpenAI keys, TELEGRAM tokens, Google Sheets credentials, GetResponse/UniSender keys). Those are proportionate to capabilities advertised (content generation, posting to Telegram, spreadsheets analytics, email sending). However, registry metadata at the top claims 'Required env vars: none' while SKILL.md lists optional envs — that's not dangerous by itself but should be clarified. Also metadata.network_behavior claims 'makes_requests: false' which contradicts the integrations implied by the optional credentials.
✓ 持久化与权限
The skill is not marked always:true and does not request system-wide config paths or permanent elevated privileges. It does include scripts that may alter files within its package or create outputs (zips, staged files) but nothing indicates it modifies other skills or agent-wide settings. Autonomous invocation is enabled (default) but is not an additional risk here absent other red flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv3.5.42026/4/21
Marketplace presentation refresh.
● 无害
安装命令
点击复制官方npx clawhub@latest install raai-content-master-pro
镜像加速npx clawhub@latest install raai-content-master-pro --registry https://cn.longxiaskill.com镜像同步中