小红书笔记搬运
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims, but it can publish publicly to fixed Facebook/WordPress destinations and has an upload-cleanup bug that could accidentally repost old images.
Review the target Facebook page and WordPress site before use, fix the upload-directory cleanup bug, and require a final confirmation or draft mode before any public post is published.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A note could be posted publicly to the configured WordPress site immediately if the agent runs this helper with a valid token.
The helper publishes directly to WordPress with a default status of publish. That is aligned with the stated purpose, but it is a high-impact account mutation without an artifact-backed preview, draft default, destination selection, or explicit confirmation step.
def publish_to_wordpress(title, content, status="publish") ... requests.post(url, headers=headers, json=data)
Default WordPress posts to draft, show the exact target site/title/content, and require explicit user confirmation before publishing.
Old images may be accidentally uploaded or published with a new post, exposing the wrong content on Facebook or WordPress.
The quoted wildcard prevents shell expansion, so this command does not actually clear /tmp/openclaw/uploads. Because the workflow later uploads all files from that staging directory, stale files from a prior task could be included.
rm -rf "$UPLOAD_DIR/*" mkdir -p "$UPLOAD_DIR" ... cp "$SAVE_DIR/$filename" "$UPLOAD_DIR/"
Fix cleanup to use a safe pattern such as `rm -rf "$UPLOAD_DIR"/*`, preferably use a unique per-post upload directory, and display the exact files before upload.
A valid token may allow the agent to publish to the configured WordPress site.
The script uses a WordPress bearer token for posting authority, but the registry metadata declares no required environment variables or primary credential. The credential use is purpose-aligned, but under-declared.
WP_TOKEN = os.environ.get("WP_TOKEN", "") ... "Authorization": f"Bearer {WP_TOKEN}"Declare the required credential, use the least-privileged token available, and confirm the destination account before posting.
The agent may control a macOS file upload dialog and select files from the staging directory.
The skill documents macOS UI automation to operate the file picker. This is relevant to the upload workflow, but it requires local automation privileges and can interact with the active file dialog.
osascript << 'EOF'
tell application "System Events"
tell process "com.apple.appkit.xpc.openAndSavePanelService"Use this only on macOS with understood Accessibility permissions, and verify the selected files before publishing.
Users may need to inspect and run local scripts manually without clear dependency or provenance information.
The package lists runnable scripts but has no repository/provenance URL, while the install metadata does not declare dependencies or OS assumptions. This is not malicious by itself, but it reduces reviewability.
"repository": "", "scripts": [ "scripts/download_images.sh", "scripts/prepare_upload.py", "scripts/wp_publish.py" ]
Publish a source repository, declare Python/package and OS requirements, and document how each script should be run safely.