Skillv1.0.0

ClawScan security

xiaohongshu-ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 4:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match its Xiaohongshu operations purpose, but there are inconsistencies and a few undeclared external integrations (image APIs, Feishu attachments) that you should understand before installing.
Guidance: Before installing: 1) Clarify publish behavior — PUBLISH.md/README market a fully automated “one‑click publish”, but SKILL.md says to stop at the publish button and wait for confirmation; ask the author which behavior will actually run. 2) If you plan to use image-generation or Feishu attachments, identify required API keys (e.g., Nano Banana/Gemini, Feishu) and provide them only after verifying trust. 3) Test on a throwaway/low‑risk Xiaohongshu account first to validate selectors, rate limits, and that the skill will not unexpectedly publish. 4) Confirm how account credentials/session tokens are stored and rotated (login persistence is discussed in README); avoid giving long‑lived credentials you cannot revoke. 5) Consider legal/ethical risk: the Viral Copy flow emphasizes avoiding verbatim copying but still performs structural replication of popular posts — ensure you comply with platform policies and copyright. If you need higher assurance, ask the author for a short runbook showing exact automation steps (a trace or dry‑run) and for explicit listing of any external services that will receive screenshots or other content.

Review Dimensions

Purpose & Capability: noteThe name/description (end-to-end Xiaohongshu ops) align with the instructions: the SKILL.md contains SOPs for account positioning, topic research, content creation, publishing flows, comment replies, and viral-copy logic. However, marketing docs (PUBLISH.md, README.md) claim “全自动发布” / “一键完成”, while SKILL.md explicitly instructs to stop at the publish button and await user confirmation. That mismatch (advertised fully automated publishing vs. instructions that require a manual final confirmation) should be clarified.
Instruction Scope: noteSKILL.md is explicit about browser automation practices, selectors, snapshotting, evaluate scripts, and using an internal profile (profile='openclaw'). It directs use of /tmp/openclaw/uploads for browser.upload and recommends sending screenshots/attachments to Feishu for confirmation. These behaviors are coherent for a posting automation skill, but they do reach beyond purely local text generation (they instruct interacting with third‑party UIs and sending attachments to an external chat tool). There is no instruction to read unrelated secrets or system files, and persona.md explicitly instructs not to reveal secrets.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. The repository includes a separate Openclaw install script for users, but that is not part of the skill runtime and simply documents how to install Openclaw.
Credentials: noteThe skill declares no required env vars or credentials, which matches SKILL.md. However, README mentions optional integrations (Nano Banana / image generation) and references a 'gemini_api_key' in a changelog note; SKILL.md refers to attaching screenshots to Feishu. If you use image-generation or Feishu features, you may need to provide API keys/credentials — these are not declared in the skill metadata. Confirm what credentials are needed for those optional features before enabling the skill.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable; model invocation is enabled by default. There is no indication it tries to modify other skills or system-wide settings. Autonomous invocation is allowed by platform default; combined with the skill's publishing capabilities this increases potential impact, but there is no explicit privileged persistence requested by the skill itself.