Social Media Dashboard
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: social-media-dashboard Version: 1.2.0 The skill bundle provides automated data scraping for social media platforms (Toutiao, CSDN, Zhihu) using high-risk browser automation techniques. It relies on AppleScript (osascript) to execute arbitrary JavaScript within Chrome and Safari to extract 'document.body.innerText', and includes a script (launch-chrome-debug.sh) that encourages users to run Chrome with the '--remote-debugging-port=9222' flag enabled. While these methods are functionally necessary for the stated purpose of aggregating creator analytics, they require the user to lower browser security settings (e.g., 'Allow JavaScript from Apple Events'), creating a significant attack surface for potential session hijacking or data exfiltration if the agent logic were compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A tool connected to that debugging port may be able to inspect or control more than just the intended Toutiao dashboard pages.
The script starts Chrome with a DevTools debugging port while reusing the default Chrome profile, which can expose broad browser control and authenticated session access to any connected CDP client.
DEBUG_PORT=9222 ... --remote-debugging-port=$DEBUG_PORT ... --user-data-dir="$CHROME_DATA"
Use an isolated temporary Chrome profile for automation, require explicit user confirmation before CDP access, and tell users to close the debug-enabled browser when finished.
The agent could rely on sensitive logged-in account state to access creator analytics and earnings data.
The instructions contemplate finding and using local session/cookie material, but the registry metadata declares no credential or config-path contract and the artifacts do not clearly bound how credentials are sourced, approved, stored, or removed.
查找本地是否有有效的头条 Session/Cookie
Do not search local browser/session stores by default; require explicit user-provided authorization, declare the credential handling, and document storage, retention, and cleanup.
Past account metrics and income data may persist locally after a report is generated.
Keeping local historical analytics is purpose-aligned for trend reports, but the artifact does not specify where sensitive account and earnings history is stored or how long it is retained.
将当日数据追加到本地历史记录 ... 用于后续趋势分析
Document the storage location, retention period, and deletion process, and let users opt out of history storage.
Users may not realize before installation that the skill depends on browser automation permissions and logged-in browser state.
The metadata does not declare the macOS browser-automation dependencies or the session/cookie handling described in the skill files, which makes pre-install expectations less clear.
Required binaries (all must exist): none ... Primary credential: none ... Capability signals: No capability tags were derived.
Declare the required browser/OS automation capabilities and any credential/session expectations in metadata.