ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

rednote-contacts

v1.0.0

Operate the red-crawler CLI to crawl Xiaohongshu profiles, manage sessions, run scheduled collections, and export contactable creator reports from the local...

0· 31·0 current·0 all-time
by@batxent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, manifest, and src/index.py are coherent: the skill is a wrapper that runs the red-crawler CLI, bootstraps a workspace, saves Playwright storage state, runs crawls, and exports reports. However, the registry metadata claims 'Required binaries: none' and 'No install spec / instruction-only' while the manifest and entrypoint indicate a Python runtime (src/index.py) and the code expects to invoke external commands (git, 'uv', playwright installer). This mismatch between declared requirements and actual runtime needs is unexpected.
Instruction Scope
The SKILL.md instructions and the code are aligned: they build and run red-crawler CLI commands, manage a local workspace, save/load a Playwright storage_state, and read/write local artifacts (SQLite DB and CSV/JSON reports). The instructions do not direct data to external endpoints beyond cloning the repo and running the crawler (which itself will access Xiaohongshu). They do require a Playwright storage_state (authenticated browser session) for crawling, which contains sensitive session cookies—this is expected for the stated purpose but important to note.
!
Install Mechanism
No install spec is declared, but the code's 'install_or_bootstrap' flow will run 'git clone' from the repo_url (defaulting to https://github.com/Batxent/red-crawler.git), run 'uv sync', and run Playwright install steps. Cloning and executing code from a remote repo at runtime is higher-risk behavior and should only be done for trusted repositories. Additionally, the package does not declare the external CLIs it will call, which is an omission in packaging/metadata.
Credentials
The skill declares no required environment variables or credentials, which matches the code (it uses local file paths and command-line flags). Note: it operates on Playwright storage_state files (session cookies) and local project files, so the main secrecy risk is having an authenticated storage_state file present; that is expected for web crawling but is sensitive and should be treated as a credential.
Persistence & Privilege
The skill does not request always:true and does not modify other skills; it runs commands during invocation and does not request permanent platform privileges. Autonomous invocation is allowed (platform default) but that is not by itself a reason to reject; consider whether you want an agent to run crawling tasks autonomously since the blast radius is local filesystem + network access.
What to consider before installing
This skill appears to be what it claims (a wrapper to run the red-crawler CLI), but there are a few things to check before installing: - Metadata vs reality: The skill's metadata claims no required binaries and labels itself as instruction-only, yet it bundles a Python entrypoint and its runtime will call external CLIs (git, uv, and Playwright). Expect that you need git, the 'uv' command used by the project, and a working Playwright/Chromium runtime. - Remote code: install_or_bootstrap may git-clone a remote repository (default: github.com/Batxent/red-crawler). Only allow cloning and executing code from repositories you trust; review the repository contents before running. - Sensitive session state: Crawling authenticated pages uses a Playwright storage_state file (state.json) which contains cookies and session data — treat it as a secret. If you provide a storage_state file, the skill (and the crawler it runs) can act as that authenticated user. - Local filesystem access: The skill reads/writes the workspace, pyproject.toml, SQLite DB, and output artifacts. Run in an isolated directory or sandbox if you are concerned about accidental overwrites or data leakage. - Review runtime commands: The included tests and code show it will run 'git clone', 'uv sync', 'uv run playwright install chromium', and 'uv run red-crawler ...'. Ensure these commands are acceptable in your environment. If you plan to use this skill: (1) review the remote repo before bootstrapping, (2) run the first bootstrap in an isolated environment, (3) avoid supplying storage_state files from high-privilege accounts unless necessary, and (4) consider restricting autonomous runs or monitoring what the agent executes. If you want, provide the repo URL and I can highlight exact files/lines in that repo to inspect for risky behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk976dfy12tx0rcbgn57n5zm0r984twpv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments