ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RedBookSkills - 小红书发布助手

v1.0.0

将图文/视频内容自动发布到小红书(XHS),并支持登录检查、内容检索与互动操作。 适用场景:发布图文、发布视频、仅启动测试浏览器、获取登录二维码、首页推荐抓取、搜索笔记、评论互动、抓取内容数据。

0· 33·0 current·0 all-time
by@cp3d1455926-svg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (automated posting, browser/CDP control, feed/search/interactions) align with the provided scripts (cdp_publish.py, publish_pipeline.py, chrome_launcher.py, account_manager.py, etc.). The code implements the claimed features (login QR, publish, search, comment, content-data). No unrelated cloud credentials or surprising binaries are requested.
!
Instruction Scope
SKILL.md tells the agent to launch and drive local Chrome, write title/content files, and call Python scripts that manipulate Chrome profiles and the filesystem. The runtime instructions legitimately require reading/writing local files and controlling Chrome, but they also allow connecting to non-local CDP hosts and will work with user Chrome profile directories (cookies, session data). The instructions are explicit about writing title/content files and using absolute paths; they do not demand secrets, but executing the scripts gives access to local browser profiles and downloaded media, which is broader than a simple 'post helper' and requires caution.
Install Mechanism
No install spec; skill is provided as source files (Python scripts). This is low-risk from an installer perspective (nothing is downloaded during install), but running the scripts will execute local code. requirements.txt is minimal (requests, websockets), both common packages.
!
Credentials
The skill declares no required env vars, which matches the files. However, it accesses local Chrome user-data-dir(s) (profile cookies and other artifacts), reads/writes config/accounts.json and tmp/login_status_cache.json, and can accept a remote --host/--port to control remote Chrome. Account name handling allows path components (no sanitization), enabling profile directory escape. These capabilities are proportional to automation, but they expand the attack surface (local cookie/profile access, potential accidental/useful exfiltration if Chrome profiles contain sensitive sessions).
Persistence & Privilege
The skill is not always:true and does not request special platform privileges. It manages its own config under a repo-local config/ and profile directories under a user Chrome path. However, it can create and delete profile dirs and optionally delete them in remove-account. Combined with account name path traversal and port reuse behavior, this gives the scripts significant filesystem impact and long-lived access to browser state if run on a host.
Scan Findings in Context
[validate_schedule_post_time:timedelta_missing_NameError] unexpected: Code review shows validate_schedule_post_time() can raise NameError due to timedelta import mismatch. This is a correctness bug, not expected for a stable publishing skill; it can crash timed-post flows.
[get_content_data:pagination_params_no_effect] unexpected: get_content_data() accepts page_num/page_size/type but the implementation only passively listens to the page; CLI parameters may not drive the page's requests. This creates an incorrect contract between CLI and behavior.
[chrome_launcher:port_reuse_multiprofile_risk] unexpected: chrome_launcher treats any Chrome listening on the target debug port as reusable without verifying the profile; in multi-account scenarios this can cause silent cross-account operations (profiling/account mixing). Not expected for a safe multi-account automation.
[account_manager:profile_name_path_traversal] unexpected: account_manager.add_account() builds profile_dir by joining PROFILES_BASE and the provided name without sanitizing name characters. Code review flagged potential directory escape via '../../' or absolute paths. This is a security/configuration risk and not expected for normal account management.
[cdp_publish:_fill_content_innerHTML_html_injection] expected: Filling editor via innerHTML may lead to content mangling if user content contains HTML characters. It's expected to interact with the page DOM, but the specific implementation choice is a correctness/security concern (content mutation), noted by reviewers.
[cdp_publish:cdp_send_blocking_no_timeout] expected: CDP send/receive blocking without an overall timeout can hang automation. This is expected in CDP-based scripts but still a robustness issue flagged in the code review.
What to consider before installing
This package is coherent with its stated goal (automating Xiaohongshu via a local Chrome/CDP workflow) but contains several risky implementation details you should consider before installing or running it: - Sensitive access: The scripts launch Chrome with explicit user-data-dirs and will read/write profile data (cookies, local storage). If you point it to real Chrome profiles, the tool can act using those sessions. Never run it against profiles containing accounts you cannot afford to expose. - Account name sanitization: The account manager does not properly validate account names; a malicious or accidental name like '../../other' could create or operate on unexpected filesystem locations. Inspect config/accounts.json and avoid adding untrusted account names. - Port reuse / cross-account risk: The launcher will reuse any Chrome instance listening on the debug port without verifying which profile owns it. In multi-account setups, this can cause actions to be performed on the wrong account. Prefer running in an isolated Chrome instance per account or use dedicated ports. - Remote CDP: The scripts support --host/--port to point to remote Chrome. Treat remote CDP endpoints as fully trusted — controlling a remote CDP instance grants full control of the browser and its session data. Do not point to third-party or unknown hosts. - Filesystem effects: The skill writes title/content files, downloads images, creates profile dirs, and can delete profile dirs if you use remove-account --delete-profile. Back up any important profile/config data first. - Bugs and robustness: The included code review documents functional bugs (timed-post crash, pagination mismatch, blocking CDP calls). Test with disposable/test accounts and preview (--preview) before enabling auto-publish. Recommendations before use: 1. Review scripts locally (account_manager.py, chrome_launcher.py, cdp_publish.py) for the path handling and port logic; fix or sanitize account names if possible. 2. Run in an isolated environment (VM or container) or with disposable Chrome profiles; do not point to your primary browser profile. 3. Avoid using remote --host unless you control the remote Chrome instance and network path. 4. Use preview mode and test accounts to validate behavior; inspect what the tool writes to disk (config/, tmp/, profile dirs). 5. If you lack dev resources, consider not installing or only running the README/AGENTS.md instructions manually rather than granting an AI agent autonomous invocation. If you want, I can list the lines/locations in the files that implement the risky behaviors (profile path construction, port check logic, CDP send) so you or a developer can patch them before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bgq9p351hy9xqhk0hhgqcwh83w4eq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments