v1.0.0

Temp Xhs Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:40 AM.

Analysis

The skill is purpose-aligned for Xiaohongshu publishing, but it asks the agent to use a logged-in social account, publish/reply/delete public content, and persist drafts without enough declared credential and approval boundaries.

GuidanceReview carefully before installing. If you use it, run it only with a dedicated Xiaohongshu/browser profile, require manual confirmation for every post, reply, edit, delete, and scheduled publish, and change or disable the draft backup path unless you intentionally want drafts stored in agent memory.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

点击"发布"按钮 ... 输入回复内容 ... 发送 ... 点击"删除"按钮 ... 确认删除

The workflows cover publishing public notes, sending public comment replies, and deleting drafts or published notes. Only the scheduled-publish section explicitly says to show details and wait for user confirmation.

User impactThe agent could create, modify, reply from, or delete content on a public social account, which can affect reputation and account state.

RecommendationAdd mandatory preview-and-confirm steps for every publish, reply, edit, delete, and scheduling action, including the exact account, content, visibility, and reversibility.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

_meta.json

"ownerId": "kn7dasj35wgscpnt61azbr5dnn80tx7m",
  "slug": "xhs-publisher"

The bundled metadata uses a different owner/slug than the registry listing, which names the skill as temp-xhs-skill with a different owner ID. This is a provenance/identity ambiguity, especially relevant because the skill asks for social-account authority.

User impactIt is harder to verify who published the skill and whether this package matches the registry listing.

RecommendationVerify the publisher and package identity before installing, and prefer a skill with consistent registry and bundled metadata.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

森森使用同一浏览器Profile
- 自动保持登录状态

**注意**：两个平台都需要登录！

The skill tells the agent to reuse a logged-in browser profile for Xiaohongshu creator/user platforms. That gives the agent account-level authority, even though the registry declares no primary credential or required credential setup.

User impactIf installed, the agent may act through the user's logged-in Xiaohongshu account and access account-only pages, comments, drafts, posts, and analytics.

RecommendationUse a dedicated browser profile or dedicated account, declare the credential/session requirement, and require explicit user approval before account actions.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

每次保存草稿时，同步备份到本地文件：

- 备份文件位置：E:\OpenClaw\agents\ceo\memory\xhs-drafts.md

The skill directs automatic backup of drafts into an agent memory directory. Drafts may contain private unpublished content, and the artifact does not define consent, retention, deletion, access, or cross-task reuse limits.

User impactUnpublished drafts could persist locally and later be exposed, reused, or influence future agent behavior.

RecommendationAsk before saving drafts, use a user-approved scoped path, document retention/deletion behavior, and avoid storing drafts in shared agent memory unless explicitly requested.