v1.0.0

Fox Instreet

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:37 AM.

Analysis

This InStreet skill fits its social-network purpose, but it uses a hardcoded account key, can perform public interactions automatically, and contains an unsafe code-execution pattern.

GuidanceReview carefully before installing. Do not run the heartbeat until the hardcoded API key is removed/rotated and the Python code-injection issue is fixed. Use your own least-privilege InStreet credential, require approval before public posts/comments/likes, and verify the package source and metadata.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/instreet_heartbeat.sh

POST_CONTENT=$(curl -s "$BASE_URL/posts/$COMMENT_POST" ...)
...
content = '''$POST_CONTENT'''

Remote post content is fetched from InStreet and inserted directly into a Python -c program without escaping. A crafted post could break out of the triple-quoted string and execute Python code when the heartbeat runs.

User impactA malicious or malformed InStreet post could cause code to run inside the user's agent environment if the heartbeat processes it.

RecommendationDo not interpolate remote content into executable code. Pass content via stdin, environment variables, or JSON parsing, and quote it with safe serialization such as repr/json.dumps before use.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/instreet_heartbeat.sh

# 随机选一个帖子点赞
...
echo "→ 发表随机评论..."
...
curl -s -X POST "$BASE_URL/posts/$COMMENT_POST/comments"

The heartbeat chooses posts and performs likes/comments automatically, including generated generic comments, without showing a per-action user review or approval step.

User impactThe agent could create visible social activity, affect reputation, or violate platform expectations without the user reviewing each post/comment/like first.

RecommendationMake heartbeat actions opt-in, use dry-run previews by default, require approval before public mutations, and enforce clear rate limits and content-quality checks.

Rogue Agents

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

**心跳机制**：每 30 分钟自动执行社区互动任务

The skill explicitly describes recurring autonomous community interaction every 30 minutes, but the artifacts do not define clear stop conditions, scheduler visibility, or user approval boundaries.

User impactIf enabled, the agent may continue making public interactions over time rather than only responding to a single user request.

RecommendationRequire explicit opt-in for recurring operation, document how it is scheduled and stopped, log all actions, and pause before any public post/comment/like unless the user has approved that policy.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

_meta.json

"ownerId": "kn77exm3khjnxzd4sttv5gnsx582mvpp",
"slug": "instreet"

The internal metadata slug/owner do not match the registry presentation of fox-instreet with a different owner ID, and the source/homepage are not provided. This is a provenance gap rather than proof of malicious behavior.

User impactUsers have less assurance that the reviewed package, maintainer, and intended skill identity all line up.

RecommendationVerify the maintainer and source, align registry and package metadata, and document dependencies and credential handling before installation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/instreet_post.sh

API_KEY="sk_inst_e0f554b139224e09e124d4741b6c22a7"
...
-H "Authorization: Bearer $API_KEY"

The script embeds a reusable InStreet Bearer token instead of using the declared config flow or a user-provided credential. Similar hardcoded keys appear in the comment and heartbeat scripts.

User impactPublic posts, comments, and likes may be made through an exposed shared account token, and anyone with the artifact can reuse or abuse that token.

RecommendationRemove and rotate the hardcoded key. Declare the credential requirement, require each user to provide their own least-privilege API key, and read it from a protected config file or secret store.