ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

social-parser

v1.0.1

解析抖音视频和小红书笔记,提取标题、封面、描述、标签、作者等核心信息。当用户想解析、获取、抓取、提取抖音视频数据、小红书笔记内容,或粘贴了抖音/小红书链接希望查看内容详情时调用。常见表达:'帮我解析这个抖音链接'、'获取小红书笔记内容'、'抓取视频信息'、'提取这条小红书的标题标签'、'分析这个视频'。

0· 57·0 current·0 all-time
byAIconductor@huyi9531
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md tells the agent to run a CLI (gnomic) to parse Douyin and Xiaohongshu links and extract title, cover, text, tags, author, and media URLs. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
Instructions are narrowly scoped to (1) detect link type, (2) run `gnomic social dy-video <url>` or `gnomic social xhs-note <url>`, and (3) parse/display returned JSON. They explicitly state remote API calls will be made and provide a text output flag. The SKILL.md does not instruct reading arbitrary local files or unrelated env vars.
!
Install Mechanism
There is no formal install spec in the metadata, but the SKILL.md recommends `npm install -g gnomic-cli` and points to a GitHub repo. That means at runtime the agent or user may download and run third‑party code from npm/GitHub. Installing global npm packages executes remote code and can modify your system; verify the package and its maintainer before installing.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to the described functionality. Note: the external gnomic CLI or the remote APIs it calls might have their own requirements (not declared here).
Persistence & Privilege
The skill is not always-on and does not request elevated privileges or to modify other skills or system-wide agent settings. Autonomous invocation is allowed by default but is not combined here with other high-risk features.
Assessment
This skill is internally consistent: it tells the agent to use a third‑party CLI to fetch and parse Douyin/Xiaohongshu content and does not ask for unrelated credentials. Before installing or running it, verify the gnomic-cli package/repo (review source, maintainer, recent changes) because the SKILL.md suggests installing it from npm/GitHub — npm packages run code on your machine. Prefer installing in a sandbox or running the CLI manually and pasting results to the agent if you are unsure. Also consider legal/ToS implications of scraping platform content and be cautious about handling private or copyrighted material.

Like a lobster shell, security has layers — review code before you run it.

latestvk9757c8mp0pshvrvm7bgr2c0j5843bkr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments