Clawhub Skill Toutiao Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Toutiao publishing automation tool, but it can use raw account cookies to publish and schedule live public posts without a clear final approval gate.

Install only if you intentionally want an agent to operate a live Toutiao account. Keep cookie files private and out of repositories, use a dedicated browser/profile, test with --no-publish where available, avoid enabling the scheduler until you have monitoring and a stop procedure, and treat Feishu notifications as sending publication metadata to a third party.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documents capabilities to read local files (config and cookie files), write files/logs, and access the network, but does not declare permissions or prominently scope those actions. This is dangerous because an agent may be granted broader implicit access than a user realizes, especially when handling session cookies and external notification endpoints.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose centers on Toutiao publishing, but the skill also reads sensitive local configuration and cookie files and sends Feishu notifications to external services, while understating those behaviors. This mismatch prevents informed consent and can lead to unexpected data exposure or account actions, particularly because session credentials and publishing automation affect real external accounts.

Description-Behavior Mismatch

Low

Confidence: 93% confidence
Finding: The script sends publication details to Feishu after posting, which is outside the core function of publishing to Toutiao and is not clearly disclosed at the point of use. Although the data sent appears limited to content preview, topic, and account name, it still creates an unexpected outbound data flow to a third-party service.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The invocation examples use broad natural-language commands such as asking the agent to publish content or enable hourly posting, without requiring explicit confirmation or constrained parameters. In an agent setting, this increases the chance of unintended activation that can modify external account content or enable persistent automation from a casual prompt.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The description emphasizes convenience and full automation but does not prominently warn that the skill can publish directly to a user's external Toutiao account and create scheduled recurring posts. Without a clear warning, users may invoke the skill without understanding that it performs live account modifications rather than draft-only assistance.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The cookie-based login instructions tell users to export and inject full account session cookies, but they do not strongly warn that these cookies are effectively account credentials. If mishandled, leaked, or reused by the skill or surrounding agent environment, an attacker could gain unauthorized access to the user's Toutiao account and act as that user.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This code persists authentication cookies directly to disk in plaintext JSON without any access controls, encryption, permission hardening, or user-facing warning about storing sensitive session material. In the context of an automation skill that logs into a Toutiao account via cookies, theft of this file could enable account takeover or unauthorized posting until the session expires.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code reads session cookies from disk and injects them into a browser context, enabling authenticated access without any explicit safety controls, origin restrictions, or user confirmation. In a skill whose purpose is full automation of account posting, this increases the risk of account takeover or misuse if the cookie file is stolen, replaced, or sourced from an untrusted location.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The code automatically clicks publish and follow-up confirmation buttons based on generic text matching, with no explicit human approval step before final submission. In the context of a fully automated publisher, this can cause unauthorized or accidental public posting, reputational damage, policy violations, and misuse if upstream content generation or page state is manipulated.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script performs a real publish action by clicking a detected '发布' button with no confirmation gate, dry-run default, or final operator approval. In this skill's context, the action is especially risky because it automates content generation and browser login, so a mistaken run, bad selector match, or maliciously modified content can immediately post to a live account.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script reads authentication cookies from disk and injects them directly into a browser session, effectively reusing account credentials without additional verification or prominent disclosure. In an automation skill that publishes to a real media account, this increases the blast radius of local file compromise, misconfiguration, or accidental use of the wrong account.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code transmits a snippet of the published content, the topic, and the account name to Feishu without any nearby warning, consent check, or clear disclosure. In an automation skill that already handles account cookies and publishes on behalf of the user, this hidden secondary exfiltration channel increases privacy and operational risk, especially if posts are sensitive, embargoed, or tied to a real identity.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This scheduler can automatically generate and publish content with the --now flag or on an hourly schedule without any human approval gate, dry-run mode, or explicit confirmation before sending content to the external platform. In the context of a fully automated publishing skill, this increases the risk of accidental spam, publication of harmful or policy-violating AI-generated content, or abuse if the host is misconfigured or compromised.

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 requests>=2.28.0 schedule>=1.2.0 Pillow>=9.0.0
Confidence: 93% confidence
Finding: playwright>=1.40.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 requests>=2.28.0 schedule>=1.2.0 Pillow>=9.0.0
Confidence: 97% confidence
Finding: requests>=2.28.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 requests>=2.28.0 schedule>=1.2.0 Pillow>=9.0.0
Confidence: 89% confidence
Finding: schedule>=1.2.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 requests>=2.28.0 schedule>=1.2.0 Pillow>=9.0.0
Confidence: 99% confidence
Finding: Pillow>=9.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 96% confidence
Finding: requests

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 99% confidence
Finding: Pillow

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal