snowtrace
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose matches its code, but it requires a live Xueqiu session cookie and uses stealth browser automation to bypass Xueqiu’s WAF, so it should be reviewed carefully before use.
Before installing, make sure you trust the author and are comfortable giving the skill a live Xueqiu session cookie. Run the installer only in an environment you control, review the dependency downloads, and be aware that the stealth/WAF-bypass approach may create account or terms-of-service risk.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
This could violate the service’s access controls or terms, trigger account security checks, and lets the agent perform authenticated scraping through a stealth browser.
The skill explicitly relies on Playwright plus a stealth plugin to get past WAF/anti-bot controls, rather than using a normal supported API flow.
| 大V动态 | xueqiu.com | Playwright + stealth | 主域名有阿里云 WAF,curl 无法通过 |
Use only if this access method is permitted for your account and jurisdiction. Prefer official APIs or exports where available, and keep request volume low with explicit user approval.
Anyone running the skill with this token may be able to access account-bound Xueqiu data such as the user’s watchlist; the artifact does not show mutation or off-domain exfiltration, but the credential is still high-impact.
The skill asks the user to extract and provide a browser session cookie, while the registry metadata declares no required environment variables or primary credential.
export XQ_A_TOKEN="xq_a_token的值" ... F12 → Application → Cookies → 复制 `xq_a_token` 值。
Only provide the token if you trust the skill source. Consider using a separate account or revoking/refreshing the cookie after use, and the skill should declare this credential requirement in metadata.
Installing the skill may pull and run third-party packages and browser components on the local system.
The user-directed installer downloads npm dependencies and a Chromium browser at install time; this is expected for the skill’s browser automation, but it adds normal supply-chain/provenance risk.
npm install --save playwright-extra puppeteer-extra-plugin-stealth ... npx playwright install chromium
Review install.sh and package.json before running, install in an isolated environment if possible, and prefer pinned dependencies or a lockfile.