Skillv2.0.0

ClawScan security

Xiaohongshu All In One · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 2:31 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with its stated purpose (automating Xiaohongshu publishing & operations), it has no installers or requested secrets — but it automates live posting and runs arbitrary DOM-evaluate scripts so use caution and require confirmation before any live publish.
Guidance: What to consider before installing: - This skill is coherent with its stated purpose: it automates browser actions to publish, search, and reply on Xiaohongshu and needs no extra credentials. There is no installer or downloaded code in the package. - Risky behaviors to watch for: it can automatically publish content, upload local files, take page snapshots, and run arbitrary JS via evaluate() which can bypass on-page validations. Treat publish actions as potentially destructive — test in a draft account or use dry-run first. - Practical precautions: ensure you are logged into the correct Xiaohongshu account, confirm the skill is allowed to access /tmp/openclaw/uploads and will not post without explicit confirmation, and inspect any evaluate() payloads you plan to run. Keep sensitive material off the files you point to for upload. - If you need higher assurance: require manual confirmation before clicks that trigger real publishes, run the skill in a non-production account to verify selectors, and avoid enabling autonomous invocation for live posting. Confidence notes: assessment confidence is medium because the skill package is instruction-only and coherent, but the source/homepage is unknown — if the skill later requested external installers, credentials, or contained code files with network endpoints, the assessment would need to be revisited.

Review Dimensions

Purpose & Capability: okThe name/description (Xiaohongshu publish/browse/comment/analysis) matches the SKILL.md: all runtime actions are browser automation, DOM evaluate scripts, and local file uploads (e.g., /tmp/openclaw/uploads). No unrelated credentials, binaries, or external services are requested.
Instruction Scope: noteInstructions explicitly automate opening the Xiaohongshu creator URL, uploading files from /tmp/openclaw/uploads (copy from ~/Desktop), interacting with page elements, taking snapshots, and using evaluate() to set editor.innerHTML. These actions are appropriate for the stated automation purpose, but they do perform sensitive actions (posting content, reading local files, taking page snapshots). The evaluate() steps allow arbitrary JS to run in the page context, which can bypass UI-level validations — this is expected for a web-automation skill but is a potential safety/privacy surface that the user should be aware of.
Install Mechanism: okInstruction-only skill with no install spec and no downloaded code. This is the lowest-risk install mechanism: nothing is written to disk by the skill package itself.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill only references local file paths (/tmp/openclaw/uploads and ~/Desktop) and the browser profile 'openclaw', which are consistent with web-automation for publishing.
Persistence & Privilege: notealways:false and model invocation allowed (default). Because the skill can autonomously perform posts/comments in the target service, allowlisting autonomous invocation would increase risk — consider requiring explicit user confirmation for publish actions. The skill does not request permanent system-level privileges or modify other skills' configs.