Skillv1.0.3

ClawScan security

小红书搜索摘要 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 2:22 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are coherent with its stated purpose (scraping Xiaohongshu and producing a multi‑modal summary), but it requires running dynamic npm/playwright code at runtime and instructs the agent to read local image files — both deserve user attention.
Guidance: This skill appears to do what it claims, but consider these points before installing/ running it: - Runtime npm fetch: run.sh uses npx @playwright/cli which may download and execute code from npm at runtime. If you prefer, preinstall Playwright (npm install -g @playwright/cli or your platform package) to avoid dynamic downloads. - File access: the agent is instructed to read and 'see' image files saved in OUTPUT_DIRECTORY. Only run this skill in an environment where the agent is allowed to read those files and where saving scraped content is acceptable. - Legal/ToS: scraping Xiaohongshu may violate the site’s terms of service or local law; ensure you have the right to collect and store the content you pull. - Isolation: because the skill executes a headful browser script and downloads images, run it in an isolated or trusted environment (sandbox or dedicated workspace) if you are concerned about supply-chain or scraping risks. - Review output: parsed markdown embeds local image paths; verify the OUTPUT_DIRECTORY and files before sharing externally. If you want higher assurance, request a version that avoids npx (preinstalled playwright) and/or a reproducible pinned package manifest so no dynamic remote code is executed at runtime.

Review Dimensions

Purpose & Capability: okName/description match the files and instructions: a Playwright-based scraper (run.sh) collects posts and parse.py downloads images and writes raw markdown for synthesis. The declared dependencies in SKILL.md (playwright-cli, python3, requests) are what the code actually uses.
Instruction Scope: noteSKILL.md explicitly requires the agent to read the generated markdown and to open/interpret the image files on disk with its vision capabilities. That is consistent with the synthesizer purpose, but it means the agent will access local files (the OUTPUT_DIRECTORY) and must be permitted to read binary images. The instructions also tell the agent to embed images into the final report — which is expected but important to note for privacy.
Install Mechanism: noteThere is no formal install spec in the registry, but run.sh invokes npx @playwright/cli run-code which will fetch and run code from npm if playwright isn't present. Using npx/Playwright is reasonable for a scraper but carries the usual runtime supply-chain risk of fetching npm packages dynamically.
Credentials: okThe skill does not request unrelated environment variables or secrets. It only uses environment variables for keyword and max posts (exported by run.sh). parse.py uses no credentials and restricts downloaded image URLs to specified Xiaohongshu domains (HTTPS).
Persistence & Privilege: okalways is false and the skill only creates files under the user-specified OUTPUT_DIRECTORY and a temporary /tmp script. It does not modify other skills' configs or request persistent system privileges.