上海律协考核自动视频播放
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could enroll in and progress through courses on the user's account, potentially affecting training records or obligations.
The skill tells the agent to click enrollment and confirmation controls automatically, which mutates the user's course account without an explicit per-course approval step.
if (btn) { btn.click(); return 'clicked_enroll'; } ... confirm?.click();Require the user to review and approve the exact course queue and any enrollment action before the agent clicks confirmation buttons.
A background agent may continue running, using quota, opening the browser, replaying actions, or sending repeated notifications after the user expected it to stop.
The workflow creates a recurring isolated agent job for ongoing monitoring, but the provided artifacts do not specify deleting or disabling the job when all courses are done.
"name": "video-check-loop", "schedule": { "kind": "every", "everyMs": 480000 }, "sessionTarget": "isolated"Add an explicit stop condition that cancels the cron job, marks the state as finished, and tells the user how to disable it manually.
Anyone running the skill should understand that the agent is operating as the logged-in user in Chrome, not through a narrow standalone API token.
The skill uses the user's local Chrome profile and a browser target ID, which likely means it acts through an already logged-in browser session.
Browser tool: `profile=chrome`, `targetId` from state file
Use a dedicated browser profile or tab for this workflow, keep it on the intended lawschool.lawyerpass.com account, and avoid leaving unrelated sensitive sessions open.
If the state file is edited incorrectly or by someone else, later automated runs could navigate the wrong tab or send updates to the wrong group.
The persistent state file stores control data for future cron runs, including the browser target, current URL, queue, and notification destination.
"current_url": "https://lawschool.lawyerpass.com/course/detail?courseId=xxx", ... "notify_group": "<wecom group space id>", ... "target_id": "<Chrome targetId from browser snapshot>"
Keep the state file private, validate that URLs stay under lawschool.lawyerpass.com, and review the target ID and notification group before starting the cron loop.
Course progress and titles may be visible to the configured WeCom group or bot destination.
The skill sends course titles and progress notifications to an external messaging channel configured in the state file.
Use `message` tool on every video complete and every video start: ... `✅ 播完:{title}` ... `▶ 开始:{title}`Confirm the notification group is intended and avoid using a shared group if course activity should remain private.