Content Ops
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill has a plausible social-media automation purpose, but it asks for high-impact account access, installs and runs third-party automation services, and can auto-publish from user accounts with persistent background tasks.
Review this skill carefully before installing. Use non-critical or test social accounts first, do not paste raw cookies unless you trust the code and MCP packages, verify downloaded binaries and npm packages, and keep cron/background publishing disabled until you have confirmed approval, logging, and cancellation controls.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unexpected binary could access social-media sessions and operate as the user.
The setup directs users to download and run a third-party binary and then keep it running in the background, but no checksum, signature, provenance validation, or install-spec control is provided.
wget https://github.com/xpzouying/xiaohongshu-mcp/releases/.../xiaohongshu-mcp-linux-amd64.tar.gz ... tar -xzf ... ./xiaohongshu-login ... screen -dmS xhs-mcp ./xiaohongshu-mcp -headless=true
Only install after independently verifying the binary source and checksum, or prefer a reviewed, pinned package with a clear install and uninstall procedure.
Installing or using the skill can give it delegated access to social-media accounts, including the ability to read, crawl, and potentially publish as the user.
The skill requires platform cookies and API credentials even though the registry metadata declares no required env vars or primary credential.
需要 `XIAOHONGSHU_COOKIE` 环境变量 ... 需要 `REDDIT_CLIENT_ID` 和 `REDDIT_CLIENT_SECRET` 环境变量
Declare all credentials in metadata, use least-privilege test accounts where possible, avoid sharing raw cookies, and confirm exactly which accounts and actions are authorized.
A bad draft, wrong account selection, or compromised task could result in public posts being made from the user's accounts.
The documented daily flow allows scheduled public posting without additional confirmation at execution time.
14:00 | 发布已排期内容 | ❌ 自动执行
Require explicit final approval before each public post, add account/platform allowlists, provide dry-run previews, and document how to cancel scheduled tasks.
The system may keep operating in the background and perform account actions later, even when the user is not actively interacting with it.
The skill documents persistent cron-based automation that can continue checking and acting on publish tasks after setup.
0 * * * * cd ~/.openclaw/workspace/skills/content-ops && node scripts/check-publish.js
Do not enable cron/background tasks until reviewed; add clear enable/disable commands, logging, and an uninstall/cleanup procedure.
A malicious or corrupted config file could run code on the user's machine under the agent's privileges.
Evaluating configuration values can execute arbitrary Python code if the config is modified or attacker-controlled.
return eval(self.config.get(section, key, fallback=fallback))
Replace eval with safe parsing, such as JSON parsing or ast.literal_eval with strict type validation.
Account tokens, cookies, crawled content, and generated posts may pass through third-party MCP processes with unclear boundaries.
The skill connects multiple MCP services that can process social-media data and credentials, but the artifacts do not define identity, permission, or data-boundary controls for those services.
"xiaohongshu-mcp": { "command": "npx xiaohongshu-mcp-steve" }, "reddit": { "command": "npx -y @theglove44/reddit-mcp" }, "social-media-engine": { "command": "npx -y @batsirai/social-media-engine-mcp" }Review each MCP package, pin versions, isolate credentials per service, and document what data each service receives and what actions it is allowed to perform.