Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
social video -publish寒武纪视频发布
v1.0.2一键多平台发布工具。支持小红书、抖音、快手、B站、视频号五大平台同步发布图文和视频。 用户只需提供一次内容,自动适配各平台格式并发布。 使用场景: - "一键发布到小红书、抖音、快手、B站、视频号" - "帮我同步发多个平台" - "多发几个平台" - "发布视频到抖音" - 内容营销、推广、招募等多平台曝光需求
⭐ 0· 106·0 current·0 all-time
by寒武纪智能Cambrian Intelligence@hitjcl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the files: SKILL.md describes browser automation to publish to multiple Chinese social platforms and two helper scripts are included. However the code does not actually implement browser automation: video-publish.py only prints instructions and jimeng-download.py shells out to PowerShell to download a URL. There's a mismatch between claimed automated publishing and the limited, mostly-instructional code.
Instruction Scope
SKILL.md instructs the agent to '自动打开浏览器, 依次登录并发布' and to extract video src via JS from a logged-in page then download it. It also instructs '浏览器需要配置 SSRF 策略' (unclear why/how). These steps rely on controlling a browser session and accessing authenticated resources; that gives the skill access to whatever accounts are logged in in the browser. The SSRF instruction is ambiguous and could imply configuration that weakens network boundaries. The agent is told to run JavaScript in pages and to use system-level downloads (PowerShell), which go beyond simple text generation and warrant caution.
Install Mechanism
No install spec and no external downloads at install time—this is instruction-first and thus lower install risk. The included Python scripts are small and not installing dependencies or pulling remote archives.
Credentials
The skill requests no environment variables or credentials, which is consistent with the idea of using the user's browser sessions and QR logins. However SKILL.md and PLATFORM_GUIDE mention maintaining logged-in browser pages and even list example account IDs, which is unexpected for an instruction-only skill from an unknown source. Also the instruction to configure 'SSRF 策略' is unexplained and potentially disproportionate.
Persistence & Privilege
always is false and there's no install that persists or modifies other skills or system-wide configs. The skill relies on ephemeral browser automation and user logins; autonomous invocation is allowed by default but is not combined with any additional privileged flags.
What to consider before installing
What to check before installing/using:
- Ask the author to explain '浏览器需要配置 SSRF 策略' — why is SSRF needed and exactly what configuration is required? This is unusual and can weaken network protections.
- Confirm how browser automation is performed and whether the skill or agent will have access to your browser's logged-in sessions/cookies. Do not use your primary/production accounts until you verify behavior.
- Note the jimeng-download.py uses PowerShell (Invoke-WebRequest) — it is Windows-specific; running it will execute a subprocess that downloads an arbitrary URL you provide. Inspect any URL before downloading, and prefer to run with disposable accounts or isolated environment.
- The included scripts do not implement the promised end-to-end automation; ask for the actual automation implementation or test in a safe environment.
- The repository has no homepage and an unknown source; prefer to obtain the skill from a known author or ask for a security/privacy policy. If you proceed, test with throwaway accounts and review any code you run locally.
If the author cannot clearly justify the SSRF requirement, the account examples in docs, and the browser access model, treat this skill as risky and avoid giving it access to important accounts or systems.Like a lobster shell, security has layers — review code before you run it.
latestvk9750z2jhp10wzy0e4ttcpqwn983gdnt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📱 Clawdis