07 互联网访问
AdvisoryAudited by Static analysis on Mar 15, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or configuring this skill could give the agent access to logged-in website sessions from your browser.
The skill reads local browser cookies and stores account session credentials for Twitter/X, XiaoHongShu, and Bilibili. Browser session cookies are equivalent to logged-in account access, and the registry metadata declares no primary credential or required config paths.
cookie_jar = browser_funcs[browser]() ... config.set("twitter_auth_token", tc["auth_token"]) ... config.set("xhs_cookie", cookie_str) ... config.set("bilibili_sessdata", bc["SESSDATA"])Use a dedicated low-privilege account, avoid automatic browser cookie extraction unless you explicitly want it, and require the skill to clearly declare which cookies are read, where they are stored, and how they are protected.
The agent may gain authority to take visible actions on a social account, not just read content.
The code advertises logged-in XiaoHongShu capabilities that include posting, commenting, and liking. Those are public account mutations, while SKILL.md mainly describes data access, search, and reading use cases.
return "ok", "完整可用(阅读、搜索、发帖、评论、点赞)"
Treat logged-in platform integrations as write-capable unless technically restricted. Require explicit user confirmation before any post, comment, like, follow, message, PR, issue, or similar account action.
If the agent uses an authenticated GitHub CLI, it could affect repositories or public project activity.
The GitHub channel checks authenticated gh CLI access and describes write-capable actions such as forks, issues, and pull requests, which are not disclosed in the main SKILL.md platform list or read/search scenarios.
return "ok", "完整可用(读取、搜索、Fork、Issue、PR 等)"
Limit GitHub tokens/CLI scopes, document the write capabilities, and require explicit confirmation before repository mutations.
Running the installer may make this skill available to other agents or environments on the machine.
The installer can persist the skill into multiple agent skill directories, including Claude Code and generic agent locations, not just the current OpenClaw skill context.
skill_dirs = [os.path.expanduser("~/.openclaw/skills"), os.path.expanduser("~/.claude/skills"), os.path.expanduser("~/.agents/skills")] ... with open(os.path.join(target, "SKILL.md"), "w") as f: f.write(skill_md)Only install into the agent directory the user explicitly selected, and ask before modifying other agent skill stores.
Third-party code may run locally and may handle logged-in platform sessions.
The setup path pulls and runs global npm tooling and an unpinned Docker image for a logged-in platform integration. This is purpose-related, but provenance and version pinning are not clearly controlled.
npm install -g mcporter ... docker run -d --name xiaohongshu-mcp -p 18060:18060 xpzouying/xiaohongshu-mcp
Pin package/image versions or digests, document trusted sources, and review third-party MCP services before giving them cookies or account access.
Untrusted web content could be saved and reused in later tasks.
The integration guide intentionally routes internet data into caches and long-term memory. This is aligned with the skill’s purpose, but retrieved web/social content is untrusted and can later influence agent context.
获取 → 清洗 → 缓存 → 存储 → 总结 ... 02-联网搜索 (缓存) ... 01-长期记忆 (存储)
Keep retrieved internet content labeled as untrusted, separate it from user-authored memory, and avoid treating cached web text as instructions.