ClawHub

多平台视频发布

Security checks across malware telemetry and agentic risk

Overview

This is a real video-publishing automation skill, but it can use saved account sessions to post publicly across multiple platforms with limited confirmation and some under-disclosed network and stealth behavior.

Install only if you trust the publisher and intend to let the skill operate real creator accounts. Use dedicated accounts where possible, review the exact platform and video list before running any publish command, avoid all-platform publishing unless intentional, keep XHS_SERVER on a trusted local endpoint, and treat scripts/cookies as sensitive login material that should be protected and deleted when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and operationalizes shell execution, filesystem access, environment variable use, network access, and persistent state, yet declares no explicit permissions or user-facing safety boundaries. In an agent environment, this creates hidden authority: ordinary natural-language requests can cause local command execution, browser automation, credential/cookie storage, and outbound actions without clear consent gating.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This login path expands the skill's behavior by launching a bundled external executable, which is a materially different trust boundary from the otherwise Python/Playwright-based automation described in the skill metadata. If that executable is trojanized or replaced, it could execute arbitrary code with the user's privileges, access local files, or steal authentication material during the login flow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code sends signing inputs to an externally configured server via `requests.post(f"{XHS_SERVER}/sign", ...)`, creating a general-purpose remote signing capability outside the local browser automation flow described by the skill. Because it transmits request parameters and session-related values (`a1`, `web_session`) to another service, a compromised or misconfigured endpoint could harvest credentials or generate signatures for unintended actions.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill description emphasizes self-contained local automation, but this function depends on a separate signing server configured by `XHS_SERVER`. That mismatch is security-relevant because operators may trust the skill as local-only while it actually performs network transmission of sensitive request material, reducing transparency and increasing the chance of silent credential exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file is a bundled browser stealth/anti-detection payload that deliberately alters fingerprintable browser properties such as navigator.webdriver, languages, plugins, WebGL, permissions, chrome runtime objects, and iframe behavior. In the context of a video-upload automation skill, this meaningfully increases risk because it enables covert automation against third-party platforms and helps evade bot-detection controls those platforms rely on for abuse prevention and account protection.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises broad natural-language triggers such as '发布视频' and '把视频发到所有平台', which can cause the skill to activate on ambiguous user requests and initiate real posting actions on external platforms. In the context of a skill that controls browser automation and publishes content using persisted login state, weak trigger constraints materially increase the risk of unintended account-impacting actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes automatic publishing to multiple real-world platforms but does not clearly warn that the skill performs irreversible external actions affecting live user accounts. In this skill's context, Playwright-driven posting to creator backends can publish content at scale across several platforms, so missing safety disclosure increases the chance of accidental or misunderstood execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that cookies are automatically saved for roughly 30 days without providing a clear warning that these cookies represent reusable authenticated session state. Because the skill stores login state for multiple social-media accounts, inadequate disclosure and handling guidance can lead to credential-equivalent token exposure, unauthorized posting, and account takeover of connected platforms.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger phrases are broad enough to match common requests such as '发布视频', '登录抖音', or '把视频发到所有平台', which can cause the agent to invoke powerful local automation unexpectedly. Because this skill can log into platforms and publish content, accidental triggering can lead to irreversible posts, account actions, or credential handling with minimal user friction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that cookies for each platform are automatically generated and reused, but it does not prominently warn users that persistent login artifacts are stored locally for multiple accounts. In practice, these cookies may grant ongoing session access if read or exfiltrated by other local processes, users, or future agent actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill supports one-shot publishing to all logged-in platforms, but the description does not clearly warn that this may perform immediate, irreversible distribution across multiple accounts. In the context of agent automation, this significantly raises the risk of accidental mass posting, reputational damage, and unintended disclosure of content.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The setup script automatically installs Python packages and browser components immediately after launch, without an upfront warning or explicit opt-in before modifying the environment and downloading software. In this skill context, users may run setup.py expecting a harmless configuration step, so undisclosed package installation increases supply-chain and trust risks.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script rewrites conf.py in place based on detected or user-provided paths without giving an upfront notice that a local source file will be modified. While not an exploit primitive on its own, silent configuration-file mutation can surprise users, break local changes, and make security review harder in a self-contained automation skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists authenticated browser storage state to disk via `context.storage_state(path=account_file)` after an interactive login flow, but this path contains no explicit user consent, warning, or protection for the sensitive session material being written. In this skill's context, those cookies grant access to a creator account on Douyin, so local malware, other users on the same host, or later workflows that read the file could reuse the session and publish content or access account data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upload flow refreshes and rewrites the authenticated cookie/storage file on disk without notifying the user that sensitive session credentials are being updated and retained. Because this automation targets social media creator backends, the saved state is effectively a reusable login artifact; compromise of the file could enable unauthorized posting, account actions, or session hijacking.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists authenticated browser session state to disk via Playwright storage_state without any visible consent flow, disclosure, or protection controls in this file. Because these state files can contain reusable authentication material, anyone with local access to the file may hijack the linked Kuaishou account and perform actions as the user.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code automatically clicks the publish and confirm-publish controls, causing real external posting to a third-party platform. In an automation skill that can be triggered by natural-language commands, lack of an explicit in-flow confirmation increases the risk of unintended or unauthorized publication, account misuse, or social/media impact if the skill is invoked accidentally or by prompt manipulation upstream.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The signing request posts `a1` and `web_session`, which are session-related authentication values, to the configured signing service without any visible warning, consent, or trust boundary checks. In the context of a multi-platform auto-publishing skill that already handles logged-in browser sessions, this materially increases risk because those values may enable account impersonation, tracking, or replay if intercepted or retained by the server.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The browser automation injects an `a1` authentication cookie directly into a live Xiaohongshu session, which is a sensitive action because it programmatically assumes an authenticated identity. While this may be part of the intended upload workflow, the absence of disclosure, validation, or scope restriction means stolen or unintended cookies could be used to access or act on a user's account without clear user awareness.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The code forces navigator.languages to ['en-US','en'] when no options are provided, misrepresenting the user's real locale without consent. By itself this is lower severity, but inside a stealth bundle it contributes to identity spoofing and can create deceptive or policy-violating automation behavior across platforms.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal