Zshijie Publisher
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for Z视介 publishing, but it stores a login session and by default sends that session cookie to a non-HTTPS publishing endpoint while posting or editing account content.
Install only if you trust this skill to operate your Z视介 account. Prefer an HTTPS API host, keep the saved session file private, delete it after use, and review every publish/edit payload before letting the agent run the command.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network observer or proxy could potentially see the Z视介 session token and use it to act as the logged-in account, including publishing or editing content.
The default publishing host is plain HTTP, and the configured publish/edit operations send the account session token as both a header and cookie.
"base_url": "http://zugcpublish.cztv.com" ... "headers": { "sessionId": "{{sessionId}}", "Cookie": "sessionId={{sessionId}}" }Use an HTTPS publishing host if the service supports it, avoid untrusted networks, do not override --base-url to an untrusted host, and log out or delete/rotate the session after use.
Anyone with access to the saved session file may be able to reuse the logged-in publishing session.
The skill intentionally captures and persists a Z视介 login session for later API calls.
After scan success, extract `sessionId` from the QR polling response or `Set-Cookie` headers. Save it to the local session file.
Store the session file in a private location, avoid committing or sharing it, and delete it when publishing work is complete.
Incorrect or unintended JSON input could publish the wrong article/video or edit existing content.
The skill exposes mutating publish/edit actions against a third-party account, which is expected for this publisher skill but high-impact if invoked with the wrong payload.
Run one of `publish-article`, `edit-article`, `publish-video`, or `edit-video`.
Require the user to review the final JSON body, target account, article_id for edits, and destination host before running publish or edit commands.