小红书笔记搬运
AdvisoryAudited by VirusTotal on Mar 31, 2026.
Overview
Type: OpenClaw Skill Name: xiaohongshu-transfer Version: 1.0.0 The skill bundle automates content scraping from Xiaohongshu and cross-posting to Facebook and WordPress. It employs high-risk capabilities, specifically using `osascript` (documented in `SKILL.md` and `references/platforms.md`) to programmatically control the macOS system UI (`com.apple.appkit.xpc.openAndSavePanelService`) to automate file upload dialogs. Additionally, `scripts/download_images.sh` uses potentially dangerous shell commands (`rm -rf`) on a temporary directory. While these behaviors are aligned with the stated automation goals, the use of system-level UI manipulation and broad file system operations represents a significant attack surface in an agentic environment.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A note could be posted publicly to the configured WordPress site immediately if the agent runs this helper with a valid token.
The helper publishes directly to WordPress with a default status of publish. That is aligned with the stated purpose, but it is a high-impact account mutation without an artifact-backed preview, draft default, destination selection, or explicit confirmation step.
def publish_to_wordpress(title, content, status="publish") ... requests.post(url, headers=headers, json=data)
Default WordPress posts to draft, show the exact target site/title/content, and require explicit user confirmation before publishing.
Old images may be accidentally uploaded or published with a new post, exposing the wrong content on Facebook or WordPress.
The quoted wildcard prevents shell expansion, so this command does not actually clear /tmp/openclaw/uploads. Because the workflow later uploads all files from that staging directory, stale files from a prior task could be included.
rm -rf "$UPLOAD_DIR/*" mkdir -p "$UPLOAD_DIR" ... cp "$SAVE_DIR/$filename" "$UPLOAD_DIR/"
Fix cleanup to use a safe pattern such as `rm -rf "$UPLOAD_DIR"/*`, preferably use a unique per-post upload directory, and display the exact files before upload.
A valid token may allow the agent to publish to the configured WordPress site.
The script uses a WordPress bearer token for posting authority, but the registry metadata declares no required environment variables or primary credential. The credential use is purpose-aligned, but under-declared.
WP_TOKEN = os.environ.get("WP_TOKEN", "") ... "Authorization": f"Bearer {WP_TOKEN}"Declare the required credential, use the least-privileged token available, and confirm the destination account before posting.
The agent may control a macOS file upload dialog and select files from the staging directory.
The skill documents macOS UI automation to operate the file picker. This is relevant to the upload workflow, but it requires local automation privileges and can interact with the active file dialog.
osascript << 'EOF'
tell application "System Events"
tell process "com.apple.appkit.xpc.openAndSavePanelService"Use this only on macOS with understood Accessibility permissions, and verify the selected files before publishing.
Users may need to inspect and run local scripts manually without clear dependency or provenance information.
The package lists runnable scripts but has no repository/provenance URL, while the install metadata does not declare dependencies or OS assumptions. This is not malicious by itself, but it reduces reviewability.
"repository": "", "scripts": [ "scripts/download_images.sh", "scripts/prepare_upload.py", "scripts/wp_publish.py" ]
Publish a source repository, declare Python/package and OS requirements, and document how each script should be run safely.