Back to skill

Security audit

juejin-pins-publish

Security checks across malware telemetry and agentic risk

Overview

This skill transparently automates publishing user-requested posts to Juejin using the user’s logged-in browser session.

Install only if you want OpenClaw to post to Juejin for you. Before publishing, verify the active Juejin account and ask the agent to show the exact content, club, topic, links, images, and code before the final click.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill performs a real external side effect—publishing a social post—without requiring an explicit confirmation step immediately before clicking the final publish button. This creates a risk of unintended or manipulated posting, especially if upstream user input is ambiguous, maliciously injected, or the agent misinterprets the request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.