Zshijie Publisher
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network observer or proxy could potentially see the Z视介 session token and use it to act as the logged-in account, including publishing or editing content.
The default publishing host is plain HTTP, and the configured publish/edit operations send the account session token as both a header and cookie.
"base_url": "http://zugcpublish.cztv.com" ... "headers": { "sessionId": "{{sessionId}}", "Cookie": "sessionId={{sessionId}}" }Use an HTTPS publishing host if the service supports it, avoid untrusted networks, do not override --base-url to an untrusted host, and log out or delete/rotate the session after use.
Anyone with access to the saved session file may be able to reuse the logged-in publishing session.
The skill intentionally captures and persists a Z视介 login session for later API calls.
After scan success, extract `sessionId` from the QR polling response or `Set-Cookie` headers. Save it to the local session file.
Store the session file in a private location, avoid committing or sharing it, and delete it when publishing work is complete.
Incorrect or unintended JSON input could publish the wrong article/video or edit existing content.
The skill exposes mutating publish/edit actions against a third-party account, which is expected for this publisher skill but high-impact if invoked with the wrong payload.
Run one of `publish-article`, `edit-article`, `publish-video`, or `edit-video`.
Require the user to review the final JSON body, target account, article_id for edits, and destination host before running publish or edit commands.