Skillv1.0.0

ClawScan security

小红书长图文发布 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 10:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only browser automation for publishing on 小红书 and is largely consistent with that purpose, but it asks the agent to rely on and check a local OpenClaw browser config (~/.openclaw/openclaw.json) and elevated browser host control without declaring those config requirements — this mismatch and the implicit elevated browser control are worth reviewing before use.
Guidance: This skill appears to do what it says (automate publishing on 小红书) and has no code/install footprint, but it expects the OpenClaw browser to be configured for host control and asks you to inspect ~/.openclaw/openclaw.json — a file the skill's manifest did not declare. Before installing or running: 1) review ~/.openclaw/openclaw.json yourself to confirm it contains only settings you expect (and back it up), 2) understand that enabling allowHostControl gives the tooling broad automation power over that browser profile (avoid using a profile with sensitive logged-in sessions), 3) consider testing with a throwaway Xiaohongshu account and an isolated browser profile, and 4) be cautious with snapshots or saved snapshots since they may capture page contents (potentially secrets). If you need stronger assurance, ask the skill author to declare the config path in its manifest or to provide a minimal checklist that does not require reading other local configs.
Findings: [no-regex-findings] expected: The static regex scanner found nothing because this is an instruction-only skill with no code files to analyze. That absence of findings is expected but not a guarantee of safety; the SKILL.md itself must be evaluated (and was).

Review Dimensions

Purpose & Capability: noteThe name/description (automating Xiaohongshu web publishing) matches the runtime instructions (starting the OpenClaw browser, navigating to the creator site, filling title/body, performing 'one-click layout', and publishing). The use of openclaw CLI/browser actions is expected for a web-automation skill.
Instruction Scope: concernSKILL.md explicitly instructs the agent to check ~/.openclaw/openclaw.json for specific sandbox/browser settings and to run gateway/browser restart commands. Those instructions require reading/validating local agent/browser configuration and exercising host control over the browser session — actions beyond merely opening a page and clicking UI elements. The skill's manifest did not declare any required config paths, so the instructions access undeclared local configuration.
Install Mechanism: okNo install spec or code files are present; this is instruction-only, which limits disk write/installation risk. All runtime actions rely on existing OpenClaw tooling already expected on the agent.
Credentials: concernThe skill declares no environment variables or credentials, which is good. However, it references a specific local config path (~/.openclaw/openclaw.json) and requires the OpenClaw browser to have allowHostControl=true and a defaultProfile set. Accessing or requiring local config that may contain other settings or profiles is not declared and increases the scope of what the agent will read or depend on.
Persistence & Privilege: okalways:false and user-invocable defaults are preserved. The skill does not request permanent 'always' inclusion nor does it instruct modification of other skills or system-wide agent settings. That said, it requires the browser to permit host control, which effectively grants broad ability to automate any page open in that browser profile while running.