XHS Auto-Publish
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: xhs-auto-publish Version: 1.0.0 The skill is classified as suspicious due to a Local File Inclusion (LFI) vulnerability present in `publish.js`. The script uses `fs.readFileSync` for `--body-file` and `fs.existsSync` for `--images` without explicit path sanitization beyond `path.resolve`. While intended for legitimate content, this allows an attacker (or a prompt-injected agent) to potentially read arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) by supplying sensitive file paths as arguments. The content of text files could then be included in the Xiaohongshu post, or the existence of files could be confirmed. There is no evidence of intentional malicious behavior like exfiltration to an external server, but the capability to read arbitrary local files constitutes a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A post could be made public on the user's Xiaohongshu creator account without a final confirmation step.
The script defaults to publishing and programmatically clicks the Xiaohongshu '发布' button, making a public account mutation unless the user or agent remembers to pass --dry-run.
publish: true ... if (opts.publish) { ... if (btn.textContent.trim() === '发布' && !btn.disabled) { btn.click();Default to dry-run/preview mode, require an explicit --publish flag, and ask the user to confirm after reviewing the screenshot before clicking Publish.
A user or agent may believe the first run is only a preview when it can actually publish.
This safety claim contradicts the implemented defaults, where publish is true and there is no --publish case in the argument parser; SKILL.md also says to use --dry-run for preview.
The script will NOT click publish unless --publish flag is set. By default it fills everything and takes a screenshot for review.
Remove the contradictory documentation, implement --publish explicitly, and make the help text and SKILL.md consistently describe the safe default.
Anyone running the skill against the logged-in browser can act as the user on the Xiaohongshu creator site for this workflow.
The skill intentionally uses the user's authenticated browser session instead of a scoped API credential; this is disclosed and purpose-aligned, but it grants account-level posting authority through CDP.
No API key needed — uses CDP to control an already-logged-in browser.
Use a dedicated browser profile for this skill, keep CDP bound to localhost, and only run it after confirming which account is logged in.
Setup depends on the user's local npm environment and could resolve to newer dependency versions than the reviewed artifact expected.
The skill depends on an external npm package using a semver range, and the registry metadata/install spec does not declare the setup requirement even though SKILL.md asks users to install playwright-core.
"dependencies": { "playwright-core": "^1.50.0" }Pin dependency versions, provide a clear install spec or lockfile, and install dependencies from trusted package sources.