Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
多平台视频发布
v1.0.0多平台短视频自动发布工具,支持抖音、视频号、快手、小红书、B站。当用户说"发布视频"、"上传视频到抖音/小红书/视频号/快手/B站"、"把视频发到所有平台"、"登录抖音"、"视频发布"等时使用此 skill。底层使用 Playwright + 本机 Chrome 操作各平台创作者后台完成自动发布,所有代码自包含在...
⭐ 1· 126·0 current·0 all-time
bykang@kay1003
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim to automate uploads using Playwright + local Chrome and all code is in scripts/ — that matches the included uploader modules. However the SKILL metadata declares no required env/binaries while the code clearly requires a local Chrome, Python packages (playwright, biliup, etc.), and (implicitly) a biliup executable for B站. The README/SKILL.md also references an XHS_SERVER signing service. The '完全自包含,无外部依赖路径' statement is therefore misleading.
Instruction Scope
SKILL.md instructs the agent to run setup.py and publish.py (login/run), check and write cookie files under scripts/cookies, and open browser windows for QR/manual login. Those instructions stay within the uploader/publishing scope. Note: the agent will read/write cookies (sensitive authentication tokens) and will invoke subprocesses and Playwright-controlled browsers per the script; this behavior is expected for the stated purpose but is sensitive in nature.
Install Mechanism
No platform install spec is provided (instruction-only), but setup.py performs pip installs (playwright, biliup, loguru, requests) and runs 'playwright install chromium' which downloads browser binaries. That's a moderate-risk installation action (third‑party packages and browser binaries). The pip packages listed are common, and no unusual download URLs are used in the code, but the runtime will download Chromium via Playwright.
Credentials
Declared metadata lists no required env vars, yet code and docs reference VIDEO_DIR, CHROME_PATH (CHROME_PATH/LOCAL_CHROME_PATH), and XHS_SERVER. XHS_SERVER is used for remote signing via requests.post — default is http://127.0.0.1:11901 but can be pointed elsewhere. The skill saves and reads cookies from scripts/cookies (sensitive credentials). The environment/credential requirements are relevant to function but are not reflected in the skill metadata and the presence of an external signing endpoint increases attack surface if misconfigured.
Persistence & Privilege
always:false (normal). The skill writes conf.py (setup writes detected Chrome path) and stores cookies under scripts/cookies; this is expected for a publishing tool. It does not request elevated system-wide privileges or attempt to modify other skills. Autonomous invocation is allowed (platform default) — combine that with cookie access if you intend to allow automatic runs.
What to consider before installing
This skill appears to implement what it says (automated multi‑platform uploads) but has some inconsistencies you should address before trusting it: 1) The skill metadata lists no environment requirements but the code needs a local Chrome, Python packages (playwright, biliup, etc.) and may expect a biliup executable — verify the biliup binary included with the package is legitimate. 2) setup.py will run pip install and playwright install (it will download Chromium) — run that manually in an isolated environment first. 3) The skill saves/account cookies under scripts/cookies; those files contain account session data — treat them as sensitive and store them securely. 4) Xiaohongshu signing can call an XHS_SERVER (default localhost) — ensure you run your own local signing service or keep XHS_SERVER pointed to localhost; do not point it to an untrusted remote server. 5) If you plan to let the agent invoke this skill autonomously, be aware it can read/write cookies and run browser automation (which could interact with logged‑in accounts). Recommended actions: inspect the bundled biliup executable (if present), run setup.py and publish.py manually in a controlled environment first, confirm XHS_SERVER behavior, and back up/remove any saved cookie files for accounts you do not want automated. If you want, provide me with specific files (e.g., the Bilibili uploader folder or any included executables) and I can look for anomalies in those binaries or scripts.scripts/utils/stealth.min.js:7
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970wbp4sfrqtbgcnf794e2h4x8376c8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.