by 安全扫描
OpenClaw
可疑
high confidenceThe skill's description (image/PPT generator) is plausible, but its runtime instructions reference API keys, home‑directory config files, clipboard access, and local scripts while the declared requirements list none — these mismatches warrant caution.
评估建议
This skill is plausible for generating illustrations, but there are important mismatches you should understand before installing or running it:
- The SKILL/README instruct the agent to use GEMINI_API_KEY and to call local scripts, yet the registry metadata declares no required environment variables or config paths. Treat that as a red flag: the skill will likely expect an API key and local files even if not declared.
- If you clone the repo into ~/.claude/skills (as README suggests), inspect an...详细分析 ▾
⚠ 用途与能力
The skill claims to generate illustrations via Gemini/Excalidraw/Mermaid, which legitimately requires model API keys and export tooling. However the registry metadata declares no required environment variables or config paths, while the README/SKILL.md repeatedly reference GEMINI_API_KEY, ~/.smart-illustrator config files, and scripts under ~/.claude/skills/smart-illustrator/scripts. That mismatch (declaring nothing but expecting credentials and local scripts) is incoherent.
⚠ 指令范围
SKILL.md instructs the agent to: read user-supplied article files, always read specific style files, extract System Prompt content from style files, write temporary prompt files under /tmp, auto-copy prompts to the clipboard, and invoke local export scripts (npx bun ~/.claude/skills/.../scripts/...). It also instructs writing/reading user-level config (~/.smart-illustrator) and cover learning records. These actions go beyond pure 'prompt generation' and require file I/O, home-directory access, and potentially network calls — and the skill claims none of these environment requirements.
ℹ 安装机制
No install spec is declared (instruction-only), which is lower risk. But the README instructs users to clone a GitHub repo into ~/.claude/skills to obtain scripts; if users follow that, arbitrary scripts in that clone could be executed with npx/bun. Because the skill references local scripts that may not be part of the marketplace package, users who clone the repo should inspect those scripts before running.
⚠ 凭证需求
The skill's runtime text and README clearly expect a GEMINI_API_KEY (and optionally other provider keys) and use of ~ and /tmp paths, but the registry 'required env vars' and 'required config paths' are empty. Additionally the skill will write to ~/.smart-illustrator/cover-learnings.md and read style files that contain system-prompt content. Requesting or using API keys and home-file access is proportionate for an image generator — but those requirements should be declared; the omission is suspicious and makes it unclear what secrets might be used or transmitted.
ℹ 持久化与权限
always:false (normal). The skill expects/encourages cloning files into ~/.claude/skills and will read/write user-level config under ~/.smart-illustrator; this is normal for a user-local tool but does persist data in the home directory. There is no explicit evidence it modifies other skills or system-wide configs, but it does instruct executing local scripts if present, which increases its runtime privilege when installed locally.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/10
Smart Illustrator 1.0.0 - 初始版本发布 - 支持三种模式:文章配图、PPT/Slides 信息图批量生成、封面图生成(含主流平台尺寸)。 - 配图引擎自动选择(Gemini/Excalidraw/Mermaid),满足不同类型的可视化需求。 - 必须读取指定 style 文件,严格区分不同模式和风格。 - 支持`--prompt-only`模式,自动将 JSON prompt 复制到剪贴板,便于手动生成图片。 - 丰富 CLI 参数,支持多种自定义风格、参考图、多候选图、不同引擎等灵活配置。 - 输出带图片的 markdown 文档及所有图片、源文件,便于后续编辑和发布。
● 无害
安装命令
点击复制官方npx clawhub@latest install smart-illustrator
镜像加速npx clawhub@latest install smart-illustrator --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Smart Illustrator — 智能插画师 安装说明: 安装命令:npx clawhub@latest install smart-illustrator