ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

内容自动发布

v1.0.0

自动发布内容到多个平台,支持微信公众号、微博、知乎等平台定时发布。

0· 37·0 current·0 all-time
by@linbo405·duplicate of @linbo405/content-auto-poster-xiaomolongxia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises automated posting to WeChat, Weibo, Zhihu, etc., scheduling, and analytics, but the package declares no required credentials, no API keys, and no integration endpoints. Real posting requires platform-specific auth (OAuth/API keys) and network calls; those are absent, so the declared purpose does not align with what's requested or specified.
!
Instruction Scope
SKILL.md is high-level marketing-style documentation (inputs/outputs/examples) without concrete runtime steps (which APIs to call, how to authenticate, where data is sent). The instructions are vague and give the agent broad discretion to 'adapt content' and 'publish' without boundaries — this could lead the agent to request or use credentials in ad-hoc ways.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes on-disk risk because nothing is downloaded or installed, which is expected for a pure instructions skill.
!
Credentials
No environment variables, config paths, or primary credential are declared even though posting to external platforms requires credentials. The lack of declared credentials is disproportionate to the claimed functionality and suggests missing or hidden steps for obtaining auth.
Persistence & Privilege
always:false and no install means the skill does not request persistent system presence. The skill is user-invocable and can be invoked autonomously (default), which is normal — but combined with the other concerns, autonomy could increase risk if the agent is later asked to gather credentials.
What to consider before installing
Do not install or provide credentials yet. Ask the publisher for: (1) source/homepage and contact information; (2) concrete integration details — which APIs/endpoints are used and whether OAuth or token-based auth is required; (3) what credentials the skill will ask for and how/where they are stored; (4) a privacy/data-retention policy and whether posts or tokens are sent to a third-party service (the listing charges ¥49/month but gives no SaaS info). If you test, use a throwaway/demo account and never share your main platform passwords. Prefer skills that declare required env vars, show exact API calls, or provide audited code or an official integration page.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eq55z6gj5t6vbjj0b84he6d84re73

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
OSWindows · macOS · Linux

Comments