Pinterest Browser Publisher
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do Pinterest publishing as advertised, but it stores Pinterest session cookies, can automatically post batches to your account, and advertises anti-detection behavior.
Install only if you are comfortable giving this skill persistent browser-session access to your Pinterest account. Run it in an isolated environment, inspect every script and pin configuration first, avoid the anti-detection/proxy guidance, and prefer workflows that let you manually review before publishing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the auto-publish scripts can post multiple public pins to the user's Pinterest account without a per-pin final confirmation.
The script batches through configured pins and clicks Pinterest's publish button automatically using the browser session, including hardcoded content paths.
const pins = [ { image: '/Users/dhr/.openclaw/.../pins/pin01.png', ... } ]; ... for (let i = 0; i < pins.length; i++) { ... await fileInput.setInputFiles([pin.image]); ... await publishBtn.click(); }Review and edit every configured pin before running, prefer the manual-review scripts, and require explicit confirmation before any public posting.
Anyone who can read the cookie file or captured logs may gain sensitive information about the user's Pinterest session.
The login helper saves full Pinterest session cookies and prints partial auth/session/token cookie values to the console.
fs.writeFileSync(COOKIES_FILE, JSON.stringify(cookies, null, 2)); ... c.name.includes('sess') || c.name.includes('token') || c.name.includes('auth') ... console.log(` - ${c.name}: ${c.value.slice(0, 50)}...`);Do not log cookie values, restrict permissions on ~/.config/pinterest/cookies.json, delete cookies when not needed, and use a dedicated low-risk Pinterest account.
Using these tactics may violate Pinterest rules, trigger account review, or lead to account restrictions even if the automation works technically.
The documentation promotes anti-detection techniques and proxy use around CAPTCHA/login-loop issues, which can encourage evasion of platform safeguards.
## Anti-Detection ... | Mouse movement | Bezier curve simulation | ... | User Agent | Rotating real browser UAs | ... ### Login loop / CAPTCHA - Use residential proxy if available - Add longer delays between actions
Use only automation that complies with Pinterest's terms and avoid proxy, anti-detection, or CAPTCHA-avoidance behavior.
This is normal for browser automation, but it expands what is installed on the machine and depends on npm/browser-binary provenance.
The skill requires users to install a global Playwright package, browser binaries, and npm dependencies, even though the registry lists no install spec.
npm install -g playwright playwright install chromium cd skills/pinterest-browser-publisher npm install
Install in an isolated environment, review package.json and package-lock.json, and avoid running unreviewed scripts with privileged accounts.