Skillv1.0.2

ClawScan security

Weibo Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 11:17 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement a plausible Weibo automation tool, but its declared requirements and runtime instructions don't match the shipped code (missing declared dependencies, hardcoded local paths, implicit reliance on a Feishu sender, and contradictory guidance about autonomous publishing), so proceed cautiously and audit before use.
Guidance: Key things to consider before installing/running this skill: - It contains real executable Node scripts (Puppeteer) but declares no required binaries or env; you will need Node, npm, and a Chrome binary and you should review and install dependencies in a controlled environment. - The skill requires a cookies.json file with Weibo session cookies (sensitive). Do not provide cookies to untrusted code; prefer manual, audited cookie export and storage with least privilege. - The SKILL.md forbids autonomous publishing, but the skill metadata does not enforce that — an agent or other automation could run publisher.js directly. If you must use this, disable autonomous invocation or ensure strict admin approval controls. - The code calls out to other local skills/tools (skills/feishu-sender/* and 'uv run ...') and some scripts reference absolute user paths (e.g. /Users/runchen/...). Audit those called scripts (feishu-sender and nano-banana-ultra) before running — they may transmit data off-host. - Child-process execution is used for notifications and image generation; verify what those subprocesses do and where they send data (Feishu chat IDs are passed around). Ensure Feishu credentials and endpoints are legitimate. - Recommendation: do not run this on a production or personal machine until you: (1) review all referenced files (feishu-sender, nano-banana-ultra scripts), (2) fix hard-coded executablePath and absolute user paths, (3) explicitly provide/lock down cookies.json, (4) document and supply required env creds, and (5) disable autonomous invocation or enforce an approval gate. Running inside an isolated VM or container and monitoring network activity is advised if you still want to test it.

Review Dimensions

Purpose & Capability: concernThe package contains many Puppeteer-based scripts to login, publish, delete posts and also many unrelated image-generation helpers. However the registry metadata declares no required binaries, no env vars and no primary credential. In reality the code requires Node, Chrome (executablePath is hard-coded to macOS Chrome), a cookies.json session file, and appears to rely on a separate 'feishu-sender' skill. Those runtime needs are not declared, which is inconsistent and disproportionate to the (missing) short description.
Instruction Scope: concernSKILL.md emphasizes a strict Request->Approve->Execute flow and forbids autonomous publishing or reading comments. But the code executes external commands (child_process.execSync) to call other scripts (skills/feishu-sender/*) and runs external generators via 'uv run ...'. Several generation scripts reference absolute user-local file paths (e.g. /Users/runchen/.openclaw/...), meaning the skill can read local files; the README does not disclose this. The skill also requires a cookies.json containing session cookies (sensitive) but does not enumerate how that file is protected or validated.
Install Mechanism: concernNo install spec is provided even though package.json and package-lock.json are present and the code depends on many npm packages (puppeteer-core, puppeteer-extra, axios, etc.). The absence of an install step is a mismatch: running these scripts will require installing dependencies and a suitable browser binary. The code also invokes external tools via 'uv run', which pulls in other skill code at runtime — this increases the attack surface and is not documented in SKILL.md.
Credentials: concernThe skill declares no required env vars, but uses dotenv and invokes other skills (feishu-sender) that almost certainly need Feishu API credentials; those credentials are not declared. It requires an explicit cookies.json (sensitive auth data) but does not declare that as a required secret. Several generator scripts refer to absolute user file paths, which could cause access to arbitrary local files — that is disproportionate and risky relative to a simple Weibo publishing description.
Persistence & Privilege: concernThe skill is not marked always:true (good), but platform metadata leaves autonomous invocation enabled while SKILL.md forbids any autonomous publishing and requires human approval. That is a behavioral mismatch: nothing in the metadata enforces the safety constraint expressed in SKILL.md, so an agent could call publisher.js directly if misconfigured or maliciously instructed.