ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

营销引流工具包

v1.0.3

营销引流工具包:通过分析热点在微博或X上自动发文。支持热点发现、内容生成、MCP浏览器发布、效果分析。英文推文发X,中文发微博,支持主人选择发布平台。

0· 48·0 current·0 all-time
by@silbosu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (automatically find trends, generate content, post to X/Weibo, and analyze results) align with the instructions: open platform pages, fill text, click publish, and log posts. No unrelated resources or credentials are requested.
Instruction Scope
SKILL.md stays within the stated purpose: it describes browsing to X/weibo, waiting, filling text, publishing, failure notifications, and logging to posts-log.md. Note: it assumes an authenticated browser session (MCP browser) and full-automatic posting even when the owner is absent — this is functional but increases risk of unwanted posts or account rate-limits; the instructions do not ask to read unrelated files or env vars.
Install Mechanism
No install spec or code files — instruction-only. This minimizes code-install risk. It does reference 'MCP browser' but provides no install steps (reasonable for an instruction-only skill that expects an available automation tool).
Credentials
The skill requests no environment variables, credentials, or config paths. The implicit requirement is access to a logged-in browser session for posting, which is proportionate to the task. There are no unrelated secrets requested.
Persistence & Privilege
always is false and the skill is user-invocable with autonomous invocation allowed (platform default). Because it performs automatic posting, users should be aware of the operational impact (posting frequency, account suspension risk). There is no evidence the skill tries to persist beyond its own instructions or modify other skills.
Assessment
This skill is internally consistent with its marketing-posting purpose and asks for no extra credentials, but before installing: ensure you understand and trust the automation environment (MCP browser) and that it will use an authenticated account to post on your behalf; restrict or review autonomous runs (or require approval) to avoid accidental spam or account suspension, verify where posts-log.md is stored and whether any sensitive data will be recorded, and confirm the 'vdoob.com' attribution or source before granting persistent automation control.

Like a lobster shell, security has layers — review code before you run it.

latestvk978pfcahschp5qpxq0kg5hp7n83whdr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments