jike-publisher
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on the wrong content or context, the agent could publish an unintended public post to the user's Jike account.
The skill directly instructs browser automation to click the Jike publish/send button. Publishing to a social account is a high-impact action, and the artifacts do not include an explicit final confirmation or preview requirement before this step.
browser(action="act", request={"kind": "click", "ref": "<send_ref>"}, targetId=<tab_id>)Require the agent to show the exact post text and target account, then get explicit user confirmation before clicking the publish button.
The skill can perform Jike actions as the logged-in user while that browser session is active.
The skill uses the user's existing logged-in browser session and cookies to act on Jike. This is purpose-aligned for browser automation posting, but it means the skill acts with the user's account authority.
Jike account must be logged in via managed browser (profile="openclaw") ... Browser must have active session with valid cookies
Use a dedicated browser profile or verify the logged-in account before use, and log out if you do not want the skill to retain posting access.
Recent post text may remain on disk and could be reused or viewed later in the local OpenClaw workspace.
The helper script stores the most recent post content in a persistent local memory/state file. This is disclosed and scoped, but it persists user-written content beyond the immediate posting task.
STATE_FILE = Path.home() / ".openclaw/workspace-distribute/memory/jike-state.json" ... "lastContent": content
Avoid posting sensitive drafts through this skill, or clear the state file if you do not want post history retained.