Csdn Article Publish(CSDN博客文章发布) Skills
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local config is exposed or misused, someone could act as the user's CSDN session, including saving, updating, or publishing blog content.
The skill asks the user to copy browser session/authentication headers into a local config file so the script can act on the user's CSDN account. This is purpose-aligned, but it is broad account authority and the registry metadata declares no primary credential or required environment variable.
`Cookie`: 用户登录Cookie ... `x-ca-signature`: 签名 ... `x-ca-key`: API Key
Only use this with an account you are comfortable automating, protect or delete csdn_config.json after use, refresh/revoke the CSDN session if exposed, and prefer a scoped official token flow if CSDN provides one.
A mistaken command, wrong article ID, or premature publish action could update or make public the wrong article.
The skill intentionally exposes operations that can modify or publish account content on CSDN. The documentation is aligned with that purpose and recommends checking drafts, but these are still high-impact actions.
支持...更新文章...发布文章(需额外字段)
Require explicit user confirmation before running publish or update commands, verify article IDs and titles, and use draft mode first.
If the mapping is wrong or tampered with, the agent may update or publish a different CSDN article than intended.
The skill persists a local mapping and can later reuse it to decide which CSDN article to update or publish. This is useful, but stale or edited mappings can affect future actions.
自动维护本地文章映射文件 `csdn_article_map.json`,记录 `file -> articleId -> url`
Inspect csdn_article_map.json before update/publish operations, pass --id explicitly for important changes, and delete incorrect mappings.
Users may not get an install-time warning that the skill requires Node.js and local script execution.
The documented workflow depends on executing bundled Node.js scripts, while the registry metadata lists no required binaries and no install spec. This is not malicious by itself, but it is under-declared runtime behavior.
node {skills目录}/scripts/csdn_article.js saveDeclare Node.js as a required binary and make the local script execution requirement explicit in registry metadata.