ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

导师 Mentor

v1.1.0

Turn any public figure into your private AI mentor. Give a name — auto-collect their real posts, speeches, and content from social platforms, extract their t...

0· 54·1 current·1 all-time
by@sophie-xin9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The high-level purpose says it only collects public posts without login, but multiple included submodules (bilibili-/douban-/douyin-deep-profile-collect and scripts) explicitly require the browser to be logged in and use cookies to fetch private or user-scoped data (favorites, following lists, nav API). The skill metadata declares no required env vars/credentials, yet the code expects MCP endpoints/API keys and local browser cookies. This is a mismatch: a 'public-figure only' mentor tool should not require logged-in user sessions or access to local browser credentials.
!
Instruction Scope
SKILL.md instructs the agent to auto-detect ManoBrowser and, if missing, automatically git clone or curl a GitHub repo. It instructs scanning specific local config files (e.g., .mcp.json, config/mcporter.json, manobrowser/SKILL.md), to call chrome_navigate and fetch_api with credentials:'include', and to run scripts that extract DOM and cookies. The agent is told not to ask the user if ManoBrowser is installed — it should auto-install. These instructions read local config, contact external endpoints, and rely on browser cookies and MCP API keys not declared in registry metadata.
Install Mechanism
There is no formal install spec in registry, but SKILL.md explicitly instructs auto-downloading ManoBrowser via git clone or curl/unzip from GitHub. Downloading from a known host (GitHub) is lower risk than arbitrary IPs, but automatic network download/install without explicit user consent is intrusive. The included scripts also spawn subprocess/curl commands and assume the environment will run them.
!
Credentials
Registry lists no required env vars or credentials, yet code and scripts expect an MCP endpoint and API key (arguments to scripts), access to browser cookies via ManoBrowser (fetch with credentials:'include'), and read local config files (.mcp.json, config/mcporter.json). The skill will access/guide use of local browser state and potentially sensitive tokens, while the manifest gives no justification for these secrets. This is disproportionate to the advertised 'public-only' purpose.
!
Persistence & Privilege
The skill instructs automatic detection and on-the-fly download of ManoBrowser and to use local config files; although 'always' is false, the SKILL.md encourages the agent to make changes/install components without asking the user. That elevated installer behavior combined with file/config reads increases privilege and persistence risk (automatic modification of local filesystem and running fetched code).
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged by the pre-scan. Such characters are often used in prompt-injection/evasion attempts to alter how content is parsed or displayed; they are not expected for a straightforward data-collection skill.
What to consider before installing
What doesn't add up: the README/SKILL.md says the skill only uses public data and needs no credentials, yet the shipped files and step-by-step guides require a connected ManoBrowser (MCP) with API key, browser login cookies, and access to local config files like .mcp.json or config/mcporter.json. The skill also instructs the agent to auto-download ManoBrowser from GitHub and to run curl/git/subprocess commands without asking the user. Before installing or running this skill: 1) Treat it as potentially intrusive — it may access your browser session and local config files. 2) Review all shipped scripts (weibo_collect, bilibili_subtitle_batch, douyin_whisper_batch, etc.) yourself, paying attention to calls that use fetch({credentials:'include'}), subprocess/curl, or write files. 3) If you must try it, run it in an isolated VM/container and do not store sensitive tokens (MCP API keys, browser cookies) on that environment. 4) Do NOT allow automatic network installs — manually inspect and clone ManoBrowser and any dependency before granting the agent permission to run installation commands. 5) If you expect strictly public-data collection, ask the maintainer to remove or clearly separate the 'deep profile' modules that require logged-in sessions and to declare required env vars/configs explicitly. 6) Be wary of the unicode-control-chars finding: it may indicate an attempt to manipulate parsing or hide content; sanitize SKILL.md before use. If you want, I can list specific files and lines that are highest risk and suggest exact mitigations (run-only-in-VM, remove auto-install steps, or require explicit user consent prompts).

Like a lobster shell, security has layers — review code before you run it.

latestvk972j4sk9y29ww22yd0hgd2qx584dm0r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments