Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
X 长文发布
v0.1.1Publish existing Markdown articles to X (Twitter) Articles drafts with browser automation preparation, rich-text clipboard support, image/divider positioning...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and instructions: parsing Markdown, preparing HTML/images, exporting local X/Twitter cookies to a Playwright storage_state JSON, copying content to clipboard, and converting tables to images. The requested capabilities (reading local cookies, converting images, preparing HTML) are expected for this purpose.
Instruction Scope
SKILL.md stays within the publishing scope. It explicitly limits itself to publishing work‑flow and cookie sync, and warns not to expose cookie values or commit them. Notable runtime behaviors: it will read local browser cookie stores, scan a few local image directories for missing images, download HTTPS images referenced in Markdown, and write a storage_state JSON to ~/.cache/x-article-publisher/x-storage-state.json — all of which are consistent with the stated workflow but are sensitive operations that deserve user attention.
Install Mechanism
No opaque download/install steps. The repo is instruction-only with a requirements.txt. Dependencies referenced in runtime messages (pyobjc, pywin32, clipboard utilities) are optional platform-specific helpers and are not included in requirements.txt; this is a minor mismatch but not a major install risk.
Credentials
The skill reads browser cookies (via browser-cookie3) and writes them into an on-disk Playwright storage state JSON — behavior that is necessary to reuse a logged-in session but is sensitive. It requests no environment variables/credentials. Access to local cookie stores and certain user directories is proportionate for the stated task, but users should be aware this exposes session cookies to any process that can read the generated cache file.
Persistence & Privilege
The skill persists a storage_state cache at ~/.cache/x-article-publisher/x-storage-state.json and may create temp images in the system temp dir. always is false and the skill is not force-enabled. Writing a local cache is expected for its functionality, but the cache contains auth cookies and should be protected and not committed to repositories.
Scan Findings in Context
[reads-local-browsers-cookies] expected: export_x_cookies.py uses browser_cookie3 to read Chrome/Edge/Firefox/etc. cookie stores and convert matching x.com/twitter.com cookies to Playwright storage state. This is required to reuse a login session for automation.
[writes-playwright-storage] expected: The script writes a JSON storage_state to ~/.cache/x-article-publisher/x-storage-state.json containing cookies (including auth_token and ct0). This is necessary for Playwright injection but contains sensitive session values.
[downloads-remote-images] expected: parse_markdown.py will download HTTPS images referenced in the Markdown into a temp directory to upload them to X. Network fetches are expected for processing remote image URLs.
[clipboard-access] expected: copy_to_clipboard.py writes HTML/images to the system clipboard (macOS/Windows). This matches the documented workflow for pasting rich HTML into the X Articles editor.
Assessment
This skill is coherent for its stated purpose, but it performs sensitive local operations: it reads browser cookie stores and writes a Playwright storage_state JSON (including auth cookies) to ~/.cache/x-article-publisher/x-storage-state.json, scans a few local image directories if needed, and may download external images referenced in your Markdown. Only run it on a trusted, local machine. Do not commit the generated cache file to source control. If you plan to use it on a remote runner or CI, avoid enabling cookie export there. Also note some platform-specific clipboard dependencies (pyobjc, pywin32, clipboard utilities) are referenced at runtime but not listed in requirements.txt — install them as needed. If you want stronger guarantees, review the export_x_cookies.py and parse_markdown.py source and confirm the cache path and retention policy before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976sewp685dpvky0scnfqw3as84xd0g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.