Skillv1.1.0

ClawScan security

内容捕手 Content Hunter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 3:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's scraping instructions mostly match its stated purpose, but several instruction-level behaviors (hardcoded report target, stealthy rules, and automatic cron deletion) are concerning and not justified by the manifest.
Guidance: Before installing, consider these concrete checks and mitigations: (1) Confirm who will receive reports — the SKILL.md hardcodes a specific group ID; do not install unless you trust that destination. (2) Ask the author to remove or make configurable the hardcoded group and to document exactly how reports are sent (which messaging tool/API). (3) Require the skill to declare dependencies (the bilibili transcript script) and any credential needs; avoid implicit reliance on browser sessions you may not intend to share. (4) Request that the cron-cleanup step be narrowed (only delete cron jobs the skill created, or prompt the user) to avoid accidental deletion of unrelated crons. (5) Test in an isolated account/environment first and avoid granting the agent broad messaging/send permissions or autonomous invocation until you verify behavior. If you cannot get these changes or explanations, do not install or run this skill with access to sensitive sessions or production systems.

Review Dimensions

Purpose & Capability: noteThe name/description (crawl hot short-video content) aligns with the instructions to open pages, snapshot content, and save markdown files. Minor mismatches: the README and SKILL.md list an external helper (bilibili-youtube-watcher/get_transcript.py) but the skill's metadata does not declare that dependency; the skill notes that Xiaohongshu requires login but requests no credentials or environment variables (it implicitly relies on existing browser sessions).
Instruction Scope: concernRuntime instructions include several risky or unusual actions: (1) a hardcoded required destination group ID (oc_d21f6b6f9bd843444622c8e221134f47) as the only allowed report target — this effectively instructs exfiltration to a specific endpoint; (2) an explicit rule to be stealthy during scraping ('do NOT send any progress messages to group chats during scraping'), which combined with the hardcoded report target is suspicious; (3) instructions to run cross-skill script (get_transcript.py) without declaring that dependency; (4) instructions to read and merge all task folders for the day — could aggregate more data than expected. These behaviors go beyond basic scraping and grant the skill broad discretion about data collection and delivery.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files to execute. That minimizes install-time risk. The README mentions git clone or ClawHub install, but no installation steps are enforced by the manifest.
Credentials: concernThe skill declares no required environment variables or credentials, yet it expects to access logged-in pages (Xiaohongshu login required) and to send reports to a specific group. The manifest does not justify where credentials/sessions come from or why a hardcoded group ID is necessary. The absence of declared credentials combined with explicit external reporting is a proportionality concern.
Persistence & Privilege: concernThe skill instructs post-report cleanup by running 'openclaw cron list' and deleting any cron entries whose names contain '内容捕手' or 'hunter'. This modifies scheduled tasks and could inadvertently delete other users' crons with similar names. While always:false and no persistent install are fine, the ability to find and remove crons is a privileged operation and not scoped narrowly enough.