Skillv0.1.0

ClawScan security

Baoyu Post To X · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:59 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (posting to X via a real Chrome session) matches the code, but the package metadata omits important prerequisites and the instructions/scripts access sensitive local state (Chrome profile, $HOME config, system clipboard, and OS automation), which is disproportionate to what the metadata declares and deserves caution.
Guidance: This skill will launch a real Chrome instance, rely on a persistent Chrome profile (to use your logged-in X session), and use system clipboard + OS automation (osascript/xdotool/powershell) to paste images — it requires Chrome and the bun runtime even though the registry metadata lists none. Before installing or running it: - Treat it as powerful: running it with your default Chrome profile lets it act from your logged-in X account and gives access to cookies and other browser data. Prefer creating and specifying a dedicated Chrome profile directory with --profile to isolate credentials. - Expect to grant OS automation/accessibility permissions (macOS Accessibility, xdotool/ydotool, etc.). Only grant these if you trust the code. - The skill reads $HOME/.baoyu-skills/baoyu-post-to-x/EXTEND.md and project .baoyu-skills/... files for config — review those files if present and be cautious about placing secrets there. - The code downloads remote images referenced in Markdown; network I/O is expected but review md-to-html.ts for allowed hosts if you have concerns. - If you need to proceed, inspect x-utils.js (not shown in the summary) for any unexpected network endpoints, file writes outside temp directories, or code that reads other local secrets. Run the skill in a sandboxed environment or VM first, and avoid using your primary Chrome profile. Summary recommendation: do not install blindly. The behavior is consistent with posting via a real browser, but the metadata underreports the privileges and filesystem access; treat this skill as high-privilege and only use it with explicit isolation and review.

Review Dimensions

Purpose & Capability: concernThe skill truly implements posting to X using a real Chrome/CDP flow (consistent with its description). However, the registry metadata claims no required binaries/env/config paths while SKILL.md and the scripts explicitly require Google Chrome/Chromium, the bun runtime, and access to a Chrome user profile directory (persistent login). That mismatch between declared requirements and actual needs is an incoherence the user should notice.
Instruction Scope: concernThe runtime instructions and scripts do more than just call an API: they (a) read EXTEND.md from the project or $HOME, (b) launch and attach to real Chrome with a persistent profile (potentially reusing the user's default profile), (c) copy images/HTML to the system clipboard and send real OS keystrokes (osascript/xdotool/powershell), and (d) download remote images referenced in Markdown. The SKILL.md metadata did not declare these filesystem and automation accesses. These actions require high OS-level privileges (accessibility/automation) and access to local user data (Chrome profile, home directory).
Install Mechanism: noteNo install spec is provided (instruction-only), which lowers installer-supply-chain risk. However the skill includes multiple runnable TypeScript/JS files that the agent will execute via 'bun' / 'npx -y bun ...'. That execution will run local scripts and may invoke system commands (swift/osascript/xdotool/powershell), so there is runtime risk even without an explicit install step. The scripts also perform network downloads for remote images.
Credentials: concernRegistry/metadata declare no required env vars or config paths, yet the instructions and code reference/expect environment/config state: X_BROWSER_CHROME_PATH is mentioned, a default Chrome profile directory is used (getDefaultProfileDir), EXTEND.md is read from $HOME, and the skill will read local files (images, markdown) and the user's Chrome profile data (cookies/session). These are sensitive and not reflected in the declared requirements — requesting access to the user's Chrome profile and home config is disproportionate unless the user knowingly provides a dedicated profile directory.
Persistence & Privilege: noteThe skill is not 'always' installed and does not request elevated platform privilege in metadata. It does, however, expect to reuse or create Chrome user-data directories and may detect/attach to an existing Chrome instance (DevToolsActivePort). This gives it access to an authenticated browser session (cookies, local storage) if the default profile is used. That level of local-state access increases blast radius and should be explicit to users, though it is logically necessary for persistent login.