Skillv0.1.0

ClawScan security

xiaohongshuskills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 6:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions largely match its stated purpose (automating Xiaohongshu posts), but it requires direct access to local Chrome profiles / CDP and supports an 'auto-publish' mode and remote CDP connections that could be used to act without expected user confirmation — these behaviors deserve caution before installing.
Guidance: Plain-language checklist before installing or running this skill: - Review and run the code in an isolated environment first (VM or throwaway account) — these scripts will execute on your machine. - Chrome is required but not declared: ensure you install Chrome and run the tool with a dedicated Chrome profile (do NOT point it at your primary browser profile). The tool creates/manages user-data-dirs and can delete them when asked (remove-account --delete-profile). - The skill reads/writes local files (config/, tmp/) and stores login/cache info; expect persistent session data on disk. - The tool can download arbitrary media URLs and will save them in a temp directory — only provide trusted URLs. - Be careful with remote CDP (--host not localhost): connecting to an untrusted remote Chrome instance or allowing remote CDP access may expose sensitive data (cookies, pages). Avoid remote mode unless you control the remote machine. - The SKILL.md says human confirmation is required before publishing, but the code supports --auto-publish which bypasses confirmation. If you allow autonomous agent invocation, ensure the agent is not permitted to call publish commands with --auto-publish. - If you need to use this: create a dedicated OS user or Chrome profile for testing, back up any important Chrome profiles, and run the scripts manually once to observe behavior before granting agent-level invocation. - If you are not comfortable auditing Python code, do not install it with elevated trust; prefer manual use only (run CLI yourself) rather than giving the skill autonomous privileges.

Review Dimensions

Purpose & Capability: okThe name/description (auto-post to Xiaohongshu) aligns with the included modules: Chrome launcher, CDP publisher, account manager, feed explorer, image downloader, and publish pipeline. The only mild mismatch: the registry metadata lists no required binaries, but the SKILL.md and README explicitly require Google Chrome and Python 3.10+. Overall the requested files and operations are consistent with the stated purpose.
Instruction Scope: concernRuntime instructions and code perform browser automation via Chrome DevTools Protocol, manipulate Chrome user-data-dirs (profiles), read/write local config and cache (accounts.json, login_status_cache.json), download arbitrary media URLs, and scrape page state (window.__INITIAL_STATE__). These are all within 'publishing/search' functionality, but they also provide the ability to inspect notifications, retrieve mentions, and post comments. Notably: (1) the skill can access and modify browser profiles (cookies/session state) and can delete profile directories; (2) it supports remote CDP host/port connections (connect to arbitrary remote Chrome instances); (3) image/video downloader will fetch arbitrary URLs with custom Referer headers. All of these increase the attack surface and sensitivity of what the skill can read/modify.
Install Mechanism: okThis is instruction + included Python code (no install spec). A minimal requirements.txt (requests, websockets) is provided. No external download URL or archive-extract steps are present in the manifest. Risk from install mechanism is low, but executing the shipped scripts will run arbitrary Python code on the host, so users should review the source before running.
Credentials: noteThe skill declares no required environment variables or primary credential, which matches the manifest. However, it relies on environment/state implicitly: LOCALAPPDATA or home directory for Chrome profile paths, filesystem access to create/delete profile dirs and temp files, network access to download media and to reach Xiaohongshu and optional remote CDP hosts, and ability to open/listen to TCP ports. These are plausible needs for the task, but they are sensitive (access to browser cookies/session via profiles and CDP).
Persistence & Privilege: concernalways:false (good). The skill persists data locally (config/accounts.json, profile directories, tmp/login_status_cache.json, temporary downloaded media). This is expected for multi-account publishing, but there is an operational risk: the tool supports a --auto-publish flag (bypass confirmation) and the agent platform allows autonomous invocation by default — combined, that can let the agent publish posts without an explicit human confirmation if invoked with that flag. The skill can also connect to remote CDP endpoints (which could be an untrusted remote Chrome) — a privilege to be used with caution.