Skillv1.0.0

ClawScan security

baijiahao-publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 7:53 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's high-level purpose (browser-based Baijiahao publishing) is plausible, but the runtime instructions include hard-coded filesystem paths and an undocumented cookie-injection option that don't match the declared requirements — these mismatches could lead to credential handling or accidental data access.
Guidance: This skill appears to do what it says (automate Baijiahao publishing via the built-in browser), but there are important mismatches you should understand before installing: - Hard-coded Windows path: The SKILL.md requires copying the cover image to C:\Users\Administrator\AppData\Local\Temp\openclaw\uploads\cover.jpg. If your OpenClaw environment is not Windows or uses a different temp/profile path, the upload step will fail or the agent may attempt to access unexpected locations. Ask the author to make the upload path configurable or to use a cross-platform temp location. - Cookie injection is sensitive: The doc suggests bypassing login by injecting a cookie string (document.cookie='...'). Do NOT provide session cookies unless you fully trust the skill and understand the risk — cookies are credentials that grant account access. Prefer manual QR login as recommended. - Undeclared filesystem access: The package metadata doesn't list any required config paths or credentials, yet the workflow requires reading/writing local files. Confirm where the skill will write files and whether the agent will request access to your filesystem. - What to ask the author / what to change: require the skill to declare the config path(s) it needs and make paths configurable; remove or better qualify the cookie-injection fallback; explicitly state OS compatibility (Windows-only vs cross-platform); and add an explicit prompt/consent step before reading/writing local files or accepting cookies. If you still want to use it: run in a disposable/test environment first, never share session cookies, and inspect logs or prompts during the first run to confirm what paths the agent reads/writes. If you are uncomfortable with these issues, do not provide account cookies and ask for a revised skill that exposes its file-path and credential needs transparently.

Review Dimensions

Purpose & Capability: concernThe skill claims to be zero-dependency and runnable on any OpenClaw environment, but the SKILL.md hard-codes a Windows-specific upload path (C:\Users\Administrator\AppData\Local\Temp\openclaw\uploads\cover.jpg). The metadata declared no required config paths or credentials, yet the instructions depend on local filesystem write access and the built-in browser capability. This is an incoherence: either the skill should declare that it requires access to that path (and document cross-platform behavior) or avoid hard-coded OS-specific paths.
Instruction Scope: concernRuntime instructions tell the agent to copy user/AI-generated images into a specific local path and then call browser(action="upload") against that path — i.e., the agent will need file system access to arbitrary files. The SKILL.md also documents a 'cookie injection' fallback using document.cookie (browser(action="act"... evaluate ...)), which explicitly directs the agent to set session cookies in the page. Cookie injection is effectively asking for session credentials and is sensitive. These behaviors are outside what the package metadata advertises and broaden the skill's scope (file access + credential handling).
Install Mechanism: okThe skill is instruction-only (no install spec, no code files to execute), which reduces risk from arbitrary installs or downloaded code. There are no external URLs or package installs referenced.
Credentials: concernThe registry metadata lists no required environment variables or config paths, yet SKILL.md expects access to a specific filesystem location and suggests optionally injecting cookies (sensitive secrets). Requesting cookie strings or directing users to place files in a privileged path is disproportionate to the declared requirements and should be explicitly declared and justified.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent system-wide changes. It does not appear to modify other skills or global agent settings based on the provided materials.