ClawHub

多平台内容自动发布

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can automatically publish to real Zhihu and Xiaohongshu accounts while storing reusable login cookies on disk.

Review before installing. Use only with accounts you are willing to automate, check content and target URLs manually before running, and protect or delete the ~/.qclaw cookie files after use. Prefer adding a confirmation or draft-only step before allowing this skill to publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script deliberately alters browser automation fingerprints by hiding navigator.webdriver, spoofing window.chrome, and overriding languages while also disabling Blink automation features. That goes beyond normal browser automation for publishing and is intended to evade platform detection, which increases the risk of deceptive or policy-violating automated account activity and makes the skill more dangerous in an auto-publishing context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that authentication cookies are persisted to local JSON files, but it does not present this as a prominent user-facing security warning or explain the sensitivity of those files. Stored session cookies can be stolen by other local processes or users and reused to hijack the user's authenticated publishing accounts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to perform real publishing actions on third-party platforms, but the description frames this as convenience automation without a strong warning that invoking it can immediately post content under the user's live accounts. In this context, accidental invocation, prompt injection into supplied content, or user misunderstanding could lead to unintended public posts, reputational harm, or account policy violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists authenticated Xiaohongshu session cookies to a predictable plaintext file under ~/.qclaw without any permission hardening, encryption, or user warning. If another local user, malware, backup system, or synced folder can access that file, the stored cookies may allow account hijacking and unauthorized posting until the session expires or is revoked.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The answer publishing flow clicks the publish button immediately after filling content, with no explicit confirmation, preview, or user acknowledgment step. In a skill whose purpose is one-click multi-platform posting, this raises the chance of unintended publication, accidental spam, or posting manipulated content under the user's authenticated account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The article flow publishes directly once the publish button is found, again without any explicit confirmation or review checkpoint. Because the script loads persistent cookies from the user's home directory and operates on a live logged-in session, a mistaken invocation can immediately publish content to a real account.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The intent trigger uses broad keywords such as '发布文章' and '自动发布', which can match many ordinary requests and activate a high-impact publishing skill without sufficient specificity. In a skill that can post content to external platforms, unintended activation can lead to accidental publication, reputational harm, or unwanted disclosure of user content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal