snowtrace
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
This could violate the service’s access controls or terms, trigger account security checks, and lets the agent perform authenticated scraping through a stealth browser.
The skill explicitly relies on Playwright plus a stealth plugin to get past WAF/anti-bot controls, rather than using a normal supported API flow.
| 大V动态 | xueqiu.com | Playwright + stealth | 主域名有阿里云 WAF,curl 无法通过 |
Use only if this access method is permitted for your account and jurisdiction. Prefer official APIs or exports where available, and keep request volume low with explicit user approval.
Anyone running the skill with this token may be able to access account-bound Xueqiu data such as the user’s watchlist; the artifact does not show mutation or off-domain exfiltration, but the credential is still high-impact.
The skill asks the user to extract and provide a browser session cookie, while the registry metadata declares no required environment variables or primary credential.
export XQ_A_TOKEN="xq_a_token的值" ... F12 → Application → Cookies → 复制 `xq_a_token` 值。
Only provide the token if you trust the skill source. Consider using a separate account or revoking/refreshing the cookie after use, and the skill should declare this credential requirement in metadata.
Installing the skill may pull and run third-party packages and browser components on the local system.
The user-directed installer downloads npm dependencies and a Chromium browser at install time; this is expected for the skill’s browser automation, but it adds normal supply-chain/provenance risk.
npm install --save playwright-extra puppeteer-extra-plugin-stealth ... npx playwright install chromium
Review install.sh and package.json before running, install in an isolated environment if possible, and prefer pinned dependencies or a lockfile.