Social Media Dashboard
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its dashboard purpose, but it should be reviewed because it can use logged-in browser sessions, cookies, and Chrome debugging to access sensitive account and earnings data.
Install only if you are comfortable letting the skill read logged-in creator dashboards and earnings data through your browser. Prefer using a separate browser profile, avoid sharing raw cookies, close any Chrome debug session after use, and check where local history is stored.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A tool connected to that debugging port may be able to inspect or control more than just the intended Toutiao dashboard pages.
The script starts Chrome with a DevTools debugging port while reusing the default Chrome profile, which can expose broad browser control and authenticated session access to any connected CDP client.
DEBUG_PORT=9222 ... --remote-debugging-port=$DEBUG_PORT ... --user-data-dir="$CHROME_DATA"
Use an isolated temporary Chrome profile for automation, require explicit user confirmation before CDP access, and tell users to close the debug-enabled browser when finished.
The agent could rely on sensitive logged-in account state to access creator analytics and earnings data.
The instructions contemplate finding and using local session/cookie material, but the registry metadata declares no credential or config-path contract and the artifacts do not clearly bound how credentials are sourced, approved, stored, or removed.
查找本地是否有有效的头条 Session/Cookie
Do not search local browser/session stores by default; require explicit user-provided authorization, declare the credential handling, and document storage, retention, and cleanup.
Past account metrics and income data may persist locally after a report is generated.
Keeping local historical analytics is purpose-aligned for trend reports, but the artifact does not specify where sensitive account and earnings history is stored or how long it is retained.
将当日数据追加到本地历史记录 ... 用于后续趋势分析
Document the storage location, retention period, and deletion process, and let users opt out of history storage.
Users may not realize before installation that the skill depends on browser automation permissions and logged-in browser state.
The metadata does not declare the macOS browser-automation dependencies or the session/cookie handling described in the skill files, which makes pre-install expectations less clear.
Required binaries (all must exist): none ... Primary credential: none ... Capability signals: No capability tags were derived.
Declare the required browser/OS automation capabilities and any credential/session expectations in metadata.