Video pusher
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its social-media publishing purpose, but it stores reusable login sessions and uses under-disclosed stealth browser automation, so it should be reviewed carefully before use.
Install only if you trust the skill with logged-in social-media sessions. Use dedicated accounts if possible, confirm every file and caption before the final publish click, and manually remove profile/session directories when retiring an account group. Be aware that the code tries to hide browser automation indicators, which may create platform-policy or account-security risk.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
This may put user accounts at risk of platform enforcement or security checks and makes the automation less transparent, even though the final publish button is left to the user.
The browser is configured to suppress automation indicators while operating logged-in social-media pages. This anti-detection behavior is not clearly disclosed in the skill instructions.
args=["--start-maximized", "--disable-blink-features=AutomationControlled"], ignore_default_args=["--enable-automation"] ... Object.defineProperty(navigator, 'webdriver', { get: () => undefined });Disclose the anti-detection settings clearly, make them opt-in or remove them, and warn users about possible account/platform policy risk.
A user may believe an account group was removed while reusable browser session data remains on disk, which matters on shared or compromised machines and may cause stale-session reuse.
The code shows account-group deletion only updates accounts.json, while only the separate per-platform remove command deletes profile directories. Persistent login sessions can therefore remain after deleting an account group.
def cmd_delete(name): ... save_accounts(new) ... print(f"✅ Account group '{name}' deleted.") ... def cmd_remove_platform(...): ... if os.path.isdir(profile_dir): shutil.rmtree(profile_dir)Document the difference between deleting a group and removing sessions, and make group deletion optionally remove all associated profile directories after explicit confirmation.
Anyone or any later automation with access to these profile directories may be able to reuse logged-in social-media sessions.
The skill intentionally stores logged-in browser sessions for Douyin, XHS, WeChat Channels, Threads, and Instagram. This is purpose-aligned but gives the skill durable account access.
login "组名" <platform> | 打开浏览器登录,关闭后自动保存 Session ... Chromium Session:`profile/<platform>/group_<N>/`
Use dedicated accounts where possible, protect the local profile directory, and remove sessions when no longer needed.
Installation may fetch Python packages and a Chromium browser before publishing or login workflows work.
The first-use flow runs package/browser installation commands. This is expected for Playwright automation, but it downloads and executes external dependencies.
若未安装或用户首次使用,自动依次运行: uv sync uv run playwright install chromium
Run installation only from a trusted environment and review the dependency/browser install prompts before proceeding.
Content may become public on selected social platforms if the user approves and clicks publish.
The skill can prepare uploads and posts across multiple logged-in platforms, but the documentation requires parameter confirmation and user completion in the browser.
确认发布参数(文件、标题、正文、标签、账号组、目标平台) ... 等待用户在浏览器完成发布并关闭浏览器窗口
Carefully verify the media file, caption, target platforms, and account group before clicking the final publish/share button.