ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

weibo-post

v1.0.0

发微博(新浪微博)。当用户说"发微博"、"发条微博"、"发到微博"、"发一条微博"、"帮我发微博"、"发到微博"时触发。使用浏览器自动发微博。

0· 114·1 current·2 all-time
byZkk@chinazkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (post to Sina Weibo using a browser) matches the SKILL.md instructions which automate a browser to navigate to weibo.com, type text, and click send. However the skill assumes use of a browser profile (profile="openclaw") that must already be logged into Weibo; this implicit dependency is not declared in the skill metadata.
!
Instruction Scope
Instructions call only browser navigation/snapshot/act actions (appropriate for posting), but they assume snapshots return element refs (e.g., ref=e35/e36) and an existing targetId without describing how targetId is obtained. Step 4 has a probable typo (profile="opencloak" vs "openclaw") which can break execution. The SKILL.md does not describe any authentication flow — it silently depends on an existing authenticated browser session.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill package itself.
!
Credentials
The skill declares no environment variables or credentials, but functionally requires access to the agent's browser profile/session cookies (profile="openclaw") to be logged into Weibo. That implicit requirement can give the skill access to session tokens and the ability to act as the logged-in user; this is not documented in the metadata.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. Autonomous invocation is allowed (default) — which means the agent could post when triggered by the user phrases, but that is expected for this type of skill.
What to consider before installing
This skill automates a browser to post on Weibo and appears to expect an existing logged-in browser profile named "openclaw" (the SKILL.md even contains a typo 'opencloak'). Before installing, consider: 1) Does your agent have a browser profile with Weibo logged in? If so, the skill would act using those session cookies — effectively posting as that account. 2) Test on a throwaway Weibo account first to confirm behavior and element refs. 3) Ask the author to clarify: how targetId is obtained, how authentication is handled, and fix the profile-name typo. 4) If you don’t want automatic posting without explicit confirmation, ensure the agent prompts you to confirm the exact text before clicking send. If you are uncomfortable with an installed skill using an existing browser session to act on your behalf, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk971m654zqebdrvdwqdvvpr59583djaf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments