ClawHub

zeelin-social-autopublisher

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed social-media automation tool, but it can control logged-in browser sessions, publish or reply publicly, and create recurring jobs with limited confirmation safeguards.

Review this before installing if you are not comfortable with an agent controlling a logged-in Chrome profile. Use review or dry-run first, avoid recurring cron jobs unless you explicitly want scheduled public posting/replies, use an isolated browser profile, do not enable QWEN_INSECURE_SSL, and assume topics/materials may be sent to DuckDuckGo and DashScope when generation runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Tainted flow: 'req' from os.environ.get (line 114, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)
        if ssl_bad and QWEN_INSECURE_SSL:
            ctx = ssl._create_unverified_context()
            return urllib.request.urlopen(req, timeout=timeout, context=ctx)
        if ssl_bad and not QWEN_INSECURE_SSL:
            print(
                "[generate_content] SSL 证书校验失败,已回退模板。"
Confidence
90% confidence
Finding
return urllib.request.urlopen(req, timeout=timeout, context=ctx)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises significant capabilities including shell execution, network access, environment-variable use, and file read/write, but does not declare permissions. This undermines least-privilege review and informed consent, making it easier for an orchestrator or user to invoke a highly capable automation package without understanding its full access and side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented description materially understates behavior: the skill can create scheduled jobs, launch Chrome with remote debugging, perform autonomous searches and posting, call external LLM services, and run growth/reply automation. That mismatch is dangerous because reviewers may approve it as a simple publishing helper while it actually enables persistent automation, data egress to third parties, and potentially abusive social-platform actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference prompt materially expands the skill from social publishing/draft generation into automated X growth engagement, including searching for follow-back posts and replying to users. That scope shift is dangerous because it can trigger account-impacting actions and policy violations that are not clearly disclosed by the manifest, increasing the chance that an operator invokes behavior they did not consent to or properly review.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The prompt frames the workflow as 'using the skill' while actually directing the agent to execute a local script, and elsewhere to rely on browser/CDP automation. That indirection hides the real execution path and trust boundary, making it easier for an agent or user to authorize actions without understanding that local code and browser automation will perform live account actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This helper creates a scheduled automation flow for X mutual-follow engagement, which goes beyond the stated autopublisher/draft-oriented scope in the metadata. Scope expansion matters in agent skills because users may trust the declared purpose while the script silently provisions recurring growth-hacking behavior on an external platform.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script provisions follower-growth reply automation that is not reasonably implied by a normal social autopublisher. In practice this can lead to unattended mass engagement behavior, platform-policy violations, reputation damage, and user surprise because the capability is framed as a helper rather than a high-risk automation workflow.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs undeclared web searching and fetches external reference materials as part of content generation. This expands the skill's data exposure and network behavior beyond what a user may expect from a social copy generator, and can leak sensitive or proprietary topics to third-party search services. In an automation context, silent enrichment also increases supply-chain risk because remote content influences generated outputs.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script adds X/Twitter growth-reply automation beyond straightforward multi-platform autopublishing, creating a material capability mismatch between the stated skill purpose and the actual behavior. Hidden or under-disclosed engagement automation is risky because users may invoke the skill expecting content publishing only, while the script also performs interactive actions that can affect accounts, reputation, and platform compliance.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Automated replies to mutual-follow/follow-back search results are unrelated to normal autopublishing and can drive spam-like engagement behavior from a logged-in account. In this skill context, the danger is elevated because the description emphasizes content publishing/draft workflows, not outbound interaction automation, so users may not anticipate or properly review these account actions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code clicks a generic button in an already authenticated WeChat publishing tab, which can trigger immediate publication rather than safely creating a draft as the skill description claims. In the context of a social autopublisher, this mismatch is dangerous because it can cause unintended public posting from the user's account without an explicit confirmation step.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script does not merely prepare content or save drafts; it actively automates interaction with a logged-in Xiaohongshu session and clicks a page button to submit content. In an agent skill, this creates unauthorized or unintended posting risk, especially because the platform action is inferred from fragile selectors and occurs without an explicit user confirmation step.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script connects to the browser DevTools Protocol and uses Runtime.evaluate to execute arbitrary JavaScript in the context of an authenticated Xiaohongshu tab. This is significantly more powerful than simple form submission: if the inputs or target selection are manipulated, the mechanism can read page data, trigger other actions, or interact with the user's logged-in browser state beyond the stated publishing purpose.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt instructs automated replies through local Chrome/CDP against a live X account without a user-facing warning about account, reputation, and platform-enforcement risks. In this skill context, the automation is directly aimed at growth engagement with strangers, making accidental spam-like behavior, account restrictions, or unintended public interactions more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script launches Chrome with the DevTools remote debugging interface enabled and reuses a persistent user profile while opening authenticated social-media sites. Any local process that can reach the CDP port can inspect pages, cookies, and DOM state, and can drive logged-in browser sessions to perform actions as the user; the lack of an explicit warning or consent step increases the likelihood of unsafe use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script creates cron jobs that will perform external network actions—posting and automated replies on X—without a strong, explicit warning or confirmation at creation time. Because the behavior is scheduled and recurring, users may unintentionally authorize ongoing actions from a logged-in browser profile, increasing the chance of unintended posting, spammy behavior, or account misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends the user topic plus fetched reference materials to an external LLM service without clear user-facing disclosure or consent at the point of transmission. If topics contain confidential plans, campaign details, or personal data, this creates a privacy and data-governance risk. The danger is amplified because the script also enriches prompts with externally fetched material, increasing the volume and sensitivity of what leaves the local environment.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
In default publish mode, the wrapper directly invokes the downstream publishing script without any explicit runtime confirmation or warning, despite operating on logged-in social media sessions. In this skill context, that increases the chance of accidental real-world posting if an operator misunderstands the default or passes incomplete review inputs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script automates a button click in the user's live, logged-in WeChat browser tab without warning, confirmation, or even precise selector validation. Because it attaches to an existing authenticated CDP session and uses document.querySelector('button'), it may activate a publish or other sensitive action unpredictably, leading to unauthorized or accidental account activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script directly drives an already logged-in Weibo browser session through the Chrome DevTools Protocol and clicks the publish button without any in-script confirmation, approval gate, or clear safety interlock. In the context of an autopublisher skill, this is especially risky because any upstream prompt injection, bad parameterization, or accidental invocation can cause unintended public posts from the user's authenticated account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently discovers a local Chrome DevTools endpoint and opens a WebSocket control channel to an existing browser session without any user warning or consent gate. Because this targets a live authenticated browser, it can operate with the user's existing privileges and makes accidental or opaque browser control much more dangerous in the context of an agent skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code programmatically clicks the first matching button on the page to submit content, with no confirmation, no dry-run checkpoint, and no verification that the button is actually the intended publish control. In a logged-in social platform context, this can cause unintended public posting or trigger the wrong action if the page structure changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal