Social Media Metrics
Security checks across malware telemetry and agentic risk
Overview
The skill mostly does what it claims, but it uses anti-detection browser automation and persistent logged-in browser sessions, so it needs review before installation.
Install only if you are comfortable with browser scraping that may evade platform bot detection. Use a dedicated browser profile and low-risk social account, avoid logging in with important accounts, and delete ~/.playwright_cdp_profile when you no longer want the skill to retain session cookies.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run browser automation in a way designed to avoid platform detection, which can trigger blocks, account challenges, or terms-of-service issues.
The skill explicitly advertises anti-detection browser automation. Even though scraping metrics is the stated purpose, intentionally evading platform bot controls is materially risky and can affect user accounts or violate platform rules.
Douyin, Kuaishou, and Xiaohongshu use Chrome's CDP (DevTools Protocol) mode for better anti-detection.
Prefer official APIs where available, require explicit user approval before anti-detection browser runs, and clearly warn users when a query will use stealthy automation.
The skill can reuse a logged-in social-media session after the first QR login, so future runs may act with the user's account context even if only reading metrics.
The skill stores and reuses authenticated account cookies. This is disclosed in SKILL.md, but it is high-impact session authority for a metrics tool and is not reflected in the registry credential/config declarations.
Xiaohongshu requires an authenticated session... persistent profile at `~/.playwright_cdp_profile`... Cookies are persisted in the Chrome profile — no login needed until the session expires.
Use a dedicated low-privilege account/profile, document cleanup steps for ~/.playwright_cdp_profile, and require confirmation before using any persisted login session.
Installation may pull newer package or browser versions than the author tested.
The dependency versions are lower-bounded rather than pinned, and SKILL.md instructs installing these packages plus Playwright Chromium. This is expected for a browser-scraping skill, but it leaves dependency resolution to install time.
requests>=2.31.0 playwright>=1.40.0 beautifulsoup4>=4.12.0
Install in a virtual environment and prefer pinned, reviewed dependency versions for production use.