Skillv1.0.2

ClawScan security

xhs-search-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 11:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the claimed Xiaohongshu scraping workflow using AgentBay + Playwright, but its metadata, runtime instructions, and code disagree about required credentials and it logs/saves sensitive session information in ways that could leak secrets or allow remote access.
Guidance: What to consider before installing and using this skill: - Credentials: The skill requires an AgentBay API key (AGENTBAY_API_KEY) even though the registry metadata doesn't declare it. Do not put secrets into a repo file; prefer setting the API key as an environment variable rather than saving it in config.json. - Logging exposure: The code currently logs the AgentBay API key to logs/ and console. Ask the author to remove or redact logging of secrets before using the skill. Inspect logs/ after any run and delete sensitive log files. - status.md and session resource_url: The skill writes session_id and resource_url to status.md so you (or the agent) can complete remote login. Treat status.md as sensitive: do not share it. Anyone with a resource_url/session_id might be able to connect to the sandboxed browser — use a throwaway account if possible. - Data flow to AgentBay: Extraction uses the AgentBay SDK (agent.extract). Page content and extracted text are processed by that service; confirm you are comfortable with the data reaching the AgentBay endpoint. Review the AgentBay SDK/package source (wuying-agentbay-sdk or the actual package name) before use. - Fixes to request: The skill should be updated to (1) declare the required env vars/primary credential in metadata, (2) stop logging API keys, and (3) avoid writing sensitive resource URLs or full file paths into status.md or at least redact them. After those fixes, the design would be coherent for its stated purpose. - Operational precautions: Use a dedicated account for Xiaohongshu login, configure proxies carefully, inspect and purge config.json and status.md after runs, and review log files for accidentally recorded secrets.
Findings: [requires_agentbay_api_key_but_metadata_missing] expected: The skill requires an AgentBay API key (checked in validate_agentbay_env and created/used by AsyncAgentBay) which is appropriate for the stated purpose, but the registry metadata listed no required environment variables or primary credential. [api_key_logged_to_file_and_console] unexpected: create_or_reuse_session logs the api_key value (API key) via _log.info which will be written to logs/ and console. Logging secrets is a clear leakage risk and contradicts best practices. [resource_url_and_paths_written_to_status] unexpected: Scripts write resource_url, session_id, full output paths, and file lists into status.md and write_status. SKILL.md tells the agent not to reveal paths to users, but the presence of these values in status.md is a sensitive artifact and could be exposed accidentally.

Review Dimensions

Purpose & Capability: noteThe name/description (XHS keyword research via a sandboxed browser) match the code and scripts: the package uses an AgentBay-managed browser + Playwright to search and extract notes and comments. However the skill metadata declared no required environment variables or primary credential while the code clearly requires an AgentBay API key (agentbay_api_key / AGENTBAY_API_KEY). This metadata omission is inconsistent and reduces transparency for users.
Instruction Scope: concernRuntime instructions and scripts read and write config.json and status.md, persist a session_id, and create files under output/. The code writes resource_url and session_id into status.md (used to prompt remote login). The SKILL.md forbids exposing local paths to users, but the scripts write full file paths and file lists into status.md. More importantly, create_or_reuse_session logs the AgentBay API key (api_key) to logs/ and console, which could leak credentials. The skill also depends on the AgentBay service to perform page extraction (agent.extract) — expected for purpose, but this means page content and extracted data flow through the AgentBay SDK/service and the user should understand that remote endpoints see this data.
Install Mechanism: okThis is instruction + code shipped in the bundle with a requirements.txt. There is no remote download or opaque install hook. Dependencies (playwright and an AgentBay SDK) are reasonable for a headless-browser scraping skill. The lack of an explicit install spec in registry metadata is a minor hygiene issue but not a high-risk install mechanism by itself.
Credentials: concernThe scripts require an AgentBay API key and optionally region/endpoint/timeouts and proxy settings — these are proportionate to the described integration. But the published metadata listed no required env vars or primary credential, which is misleading. Additionally, the skill favors config.json values over existing environment variables and will set AGENTBAY_API_KEY from config.json, which can encourage storing secrets in a repo file. The code also logs the API key to log files/console, increasing risk of credential exposure.
Persistence & Privilege: noteThe skill persists a session_id in config.json and retains browser cookies in the AgentBay browser context so users stay logged across runs; this is expected for a scraping/login workflow. always:false and no changes to other skills or system-wide config are present. However, status.md and resource_url contain values that allow remote browser login/connection — treat those as sensitive because someone with resource_url + session_id may be able to access the sandboxed browser.