Skillv1.0.0

ClawScan security

toutiao-article-publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 12:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a Toutiao publishing workflow, but there are mismatches (package.json declares code/deps that aren't included) and it requires reuse of your browser profile and local files — both privacy-sensitive — so proceed only after verifying the missing files and trusting the author.
Guidance: Key things to check before installing and using this skill: - Source trust: there is no homepage and the package includes metadata (package.json) that references scripts/dependencies which are not present. Ask the author for the missing scripts or a provenance statement before enabling the skill. - Browser profile access: the skill relies on reusing your browser profile (profile="openclaw"). That gives the agent access to any accounts already logged into that browser (cookies/session tokens). Only enable if you trust the skill and its operator, and consider testing with a browser profile/account that contains only a test Toutiao account. - Filesystem access: the workflow requires reading/uploading files from local paths (C:\tmp\openclaw\uploads and E:\自媒体\今日头条\...). Confirm you are comfortable with the agent reading those directories; if you have sensitive files on those drives, use a dedicated upload directory or a clean environment. - Scheduling/autonomy: the skill documents scheduled autonomous posting. If you enable scheduling, review and restrict schedule frequency and test behavior on a non-production account to avoid accidental mass posts or policy violations. - Missing code: package.json and README reference scripts/ and a Python test script that are not included. Request the missing files or a clear explanation (are those remnants?) and avoid running unprovided scripts. If the developer intends no install, package.json should be simplified to avoid confusion. - Content/compliance: the skill automates publishing; ensure content policies, copyright for images, and platform rules are followed to avoid account suspension. If you cannot verify the missing files or confirm the author's identity, consider not installing or only trying the skill in a sandbox/test account and environment.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes an automated Toutiao (头条号) publishing flow using the platform's built-in browser tool (CDP) and local image uploads — that is coherent with the skill name/description. However, package.json declares a dependency on 'browser-cdp' and a test script ('python scripts/toutiao_cdp_publisher.py') while no scripts/implementation files are present in the package. This discrepancy (metadata implying executable code that is not shipped) is unexpected and should be clarified.
Instruction Scope: concernRuntime instructions instruct the agent to reuse the user's browser profile (profile="openclaw") and to read/upload files from specific local filesystem paths (e.g., C:\tmp\openclaw\uploads\ and E:\自媒体\今日头条\{yyyy-MM-dd}\). That is functionally necessary for an automated web publish skill, but it means the agent will access browser session state (cookies/auth) and local files — sensitive operations. The SKILL.md also instructs the agent to download images from the web (unspecified sources) and to schedule autonomous runs via agentTurn. There are no instructions that appear to exfiltrate data to third-party endpoints, but the combination of browser profile reuse, filesystem access, and autonomous scheduling increases the privacy/risk surface and should be reviewed by the user.
Install Mechanism: noteThis is instruction-only (no install spec) which is lower risk. However, package.json lists a dependency ('browser-cdp') and scripts referring to a Python script that is not included in the package manifest. The presence of dependency metadata without an install step is inconsistent: either the skill expects the 'browser-cdp' skill to be present (consistent with SKILL.md referencing built-in 'browser' tool) or package.json is leftover/incorrect. This mismatch is a red flag to verify before enabling any installation or running any referenced scripts.
Credentials: noteThe skill declares no required environment variables or credentials, which aligns with SKILL.md (it relies on browser profile reuse rather than API keys). This is proportionate for a web-automation publisher. Still, reusing a browser profile effectively grants access to whatever accounts are logged into that profile (session cookies, CSRF tokens). The skill's access scope (local file paths and browser session) is sensitive even though no explicit secrets are requested.
Persistence & Privilege: notealways:false and normal autonomous invocation are used (not force-installed). The SKILL.md recommends scheduled autonomous tasks using agentTurn/sessionTarget=isolated, which is reasonable for automated publishing but raises potential for repeated autonomous actions (posting content) using the user's account. Combined with browser-profile access and filesystem uploads, periodic autonomous runs increase blast radius — verify scheduling settings and test with a throwaway account first.