ClawHub

Csdn Publisher

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CSDN article-writing and publishing helper, but it handles live account sessions, QR login, browser automation, and optional Notion/Telegram integrations.

Install only if you want an agent to act on your CSDN account. Confirm the final content before publishing, verify any Telegram destination before sending QR codes, use a Notion token scoped only to the intended database, and delete or protect saved CSDN cookies, QR images, and draft files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents capabilities to read/write local files, invoke shell commands, access network services, and use environment-backed credentials, but it does not declare permissions or prominently disclose those powers. This weakens review and consent boundaries: a user expecting simple browser-based publishing would not realize the skill also persists content locally, installs packages, queries external systems, and handles credential material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose is CSDN writing/publishing, but the workflow also queries a Notion database using API credentials for deduplication. That is a material behavior expansion into a separate external system and secret scope, creating risk of unintended data access and leakage because users may not consent to or expect Notion access when invoking a publishing skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The Notion deduplication feature extends the skill beyond drafting and posting to CSDN into cross-system content surveillance of recent records. In context this appears operationally useful, but it still increases the attack surface by introducing external API access, additional secrets, and potential exposure of historical content metadata unrelated to the immediate publish request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises browser automation that can publish content and send login QR codes via Telegram, but it provides no warning about account-impacting actions, third-party data exposure, or the privacy implications of transmitting authentication artifacts. In a skill that can act on a user's CSDN account, this omission increases the risk of unintended posting, credential/session compromise, and unsafe handling of sensitive login material.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough that ordinary requests about writing or CSDN could automatically invoke a skill that performs file writes, browser automation, login handling, Telegram sending, and external API access. Over-broad invocation increases the chance of accidental activation and unintended actions under ambiguous user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The top-level description underplays that the skill may send login QR codes via Telegram and persist authentication state/cookies locally. Those are sensitive operations involving authentication artifacts and third-party messaging, so insufficient disclosure can lead users to expose account access data without informed consent.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The workflow requires saving article drafts and failure metadata to /tmp before publishing, but this retention is not clearly surfaced as a user-visible data handling practice. Local persistence can expose unpublished content, sensitive notes, or URLs to other local processes or operators, especially on shared hosts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script saves authenticated CSDN session state to disk and additionally writes a plaintext cookie header string, which materially lowers the barrier to session theft if the workspace, home directory, backups, or logs are accessed by another local user, process, or synced service. In this skill's context, those cookies directly enable account actions such as publishing content, so compromise can lead to account takeover and unauthorized posting.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script silently sends user-supplied title/URL data and a Notion bearer token to an external service without any inline warning, confirmation, or disclosure. In an agent skill context, undisclosed outbound transmission is risky because users may not realize their content metadata and credentials are being used or routed externally.

Session Persistence

Medium
Category
Rogue Agent
Content
1. **启动登录脚本**
```bash
cd /root/.openclaw/workspace/skills/csdn-publisher
nohup python scripts/login.py login --timeout 300 > /tmp/csdn-login.log 2>&1 &
```

2. **等待二维码生成**(约 10-15 秒)
Confidence
87% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
### 启动带通知的登录

```bash
nohup python scripts/login.py login --timeout 300 --notify > /tmp/csdn-login.log 2>&1 &
```

---
Confidence
88% confidence
Finding
nohup

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal