by 安全扫描
OpenClaw
可疑
medium confidenceThe skill is coherent with a visual-content helper, but its runtime instructions tell the agent to read local project-context files (.claude/project-context.md and .cursor/project-context.md) even though no config paths or file access are declared—this mismatch is worth caution.
评估建议
This skill looks like a normal content/visual planning helper and has no installers or credential requests, but its instructions tell the agent to read local project-context files (.claude/project-context.md and .cursor/project-context.md) even though the skill metadata doesn't declare those as required config paths. That means the agent could access workspace files you might not expect it to. Before installing or enabling: (1) Inspect those project-context files (or remove/sanitize them) if the...详细分析 ▾
ℹ 用途与能力
Name/description match the instructions: the SKILL.md provides practical guidance for planning and repurposing visuals across channels. References to related internal skills (image-optimization, brand-visual-generator, platform skills) are consistent with the stated purpose.
⚠ 指令范围
The instructions explicitly direct the agent to 'Check for project context first: If .claude/project-context.md or .cursor/project-context.md exists, read Section 12 (Visual Identity) for brand consistency.' These are specific local file paths the agent is told to read at runtime, but the skill declares no required config paths. Asking the agent to read workspace files (and a specific section) expands its access beyond what the metadata advertises and could surface sensitive brand or other project data. The SKILL.md otherwise does not instruct data exfiltration or network calls, and most actions stay within content planning scope.
✓ 安装机制
Instruction-only skill with no install spec, no downloaded artifacts, and no binaries declared — this is low installation risk.
ℹ 凭证需求
The skill requests no environment variables, credentials, or config paths in metadata, which is proportionate for a content-planning helper. However, the runtime instructions nonetheless reference reading local project files that are not declared, which is a discrepancy to be aware of.
✓ 持久化与权限
Flags show always: false and normal model invocation. The skill does not request persistent presence or claim it will modify other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/19
Batch: copywriting through about-page-generator
● 无害
安装命令
点击复制官方npx clawhub@latest install visual-content
镜像加速npx clawhub@latest install visual-content --registry https://cn.longxiaskill.com