Skillv1.0.0

ClawScan security

Xiaohongshu Auto Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 5, 2026, 3:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code generally matches its stated purpose (auto-generate content and publish to 小红书) but includes hard-coded credentials, absolute user-specific paths, and missing/inconsistent components — enough incoherence and sensitive data exposure to warrant caution.
Guidance: Do not run this on a production or personal machine without review. Specific things to consider before installing or running: - Hard-coded API key: The repository contains a SkillPay API key embedded in multiple files and ACCOUNTS.md. If you don't trust the author, do not use that key — rotate it or remove it. Prefer configuring your own API key via an environment variable rather than using the embedded value. - Absolute, user-specific paths: The code references /Users/xiaofang/.openclaw/... and other local cookie paths. These will likely fail on your machine and could cause the skill to access local config files if you adapt it. Inspect any references to ~/.openclaw or cookies.json before running. - Missing files/dependencies: skill.py expects generate_cover_chinese.py, a generate_content module, and an xhs_client.py under a specific path, but these are not included. The package appears incomplete — verify and audit the missing components before use. - Network and subprocess behavior: The skill will call external endpoints (skillpay.me) and run local binaries (clawhub, xhs client). Run it in a sandbox or container first, and inspect or stub the xhs_client and payment verification calls if you want to test functionality safely. - If you intend to use it: replace the embedded API key with your own, declare it via a secure environment variable, audit xhs_client and any MCP code it invokes, and remove or correct absolute paths. If you don't control the SkillPay account associated with the embedded key, do not use that key — it could result in charges, unexpected behavior, or leaking of usage data. Given the mix of sensitive embedded data and packaging inconsistencies, treat this skill as untrusted until you or the author fixes the issues above.
Findings: [hardcoded-secret-skillpay-api-key] unexpected: A SkillPay API key (sk_...) is embedded directly in configure_skillpay.py, publish.sh, skill.py and ACCOUNTS.md. A publish/verification integration would typically accept the API key from a declared environment variable or require the owner to configure their own key — embedding another party's key is unexpected and risky. [absolute-paths-to-user-home] unexpected: Multiple files hard-code /Users/xiaofang/.openclaw/... and references to ~/.openclaw workspace paths and cookies.json. These user-specific absolute paths make the skill non-portable and indicate it was packaged from a developer environment; they also point to local credentials/config that the skill will rely on or cause it to fail elsewhere. [missing-local-modules-or-scripts] unexpected: skill.py references generate_cover_chinese.py, imports generate_content from the workspace, and calls an XHS_CLIENT script at a specific path, but these referenced modules/scripts are not present in the repository. This inconsistency means the skill cannot run as-is and suggests incomplete packaging. [subprocess-exec-network-calls] expected: The skill runs subprocesses (calling xhs_client.py, clawhub, etc.) and makes HTTP requests to SkillPay — these are expected for an auto-publish skill that interacts with local clients and a payment service. However, combined with hard-coded credentials and absolute paths this amplifies risk.

Review Dimensions

Purpose & Capability: concernThe code implements AI content + cover generation and a publish step, which aligns with the skill description. However the implementation embeds a SkillPay API key directly in multiple files and hard-codes absolute paths under /Users/xiaofang/.openclaw/ pointing to other local components (xiaohongshu-mcp). The SKILL.md declared no required env vars or credentials, but the code clearly requires access to a SkillPay API key and a local xiaohongshu client — this mismatch is incoherent.
Instruction Scope: concernSKILL.md only instructs users to run python skill.py "topic", but runtime instructions in code call out to local scripts and CLIs (an xhs_client.py under a specific path, generate_content from a workspace module, clawhub publish via shell scripts). The repository is missing some referenced modules/scripts (generate_cover_chinese.py, generate_content, xhs_client.py), and the code will invoke network calls (SkillPay endpoints) and local binaries. The instructions grant broad discretion (calls external clients and system commands) but don't document or declare those dependencies clearly.
Install Mechanism: noteNo install spec (instruction-only) and no third-party downloads are present in the manifest, which lowers installer risk. The repo includes shell helper scripts that call clawhub and curl, and Python uses requests/Pillow. No archive downloads or remote installs are invoked by the skill files themselves.
Credentials: concernThe skill manifest declares no required env vars or primary credential, yet the source contains a hard-coded SkillPay API key (present in configure_skillpay.py, publish.sh, skill.py, and ACCOUNTS.md). It also references local cookie/config paths (~/.openclaw/workspace/skills/xiaohongshu-mcp/bin/cookies.json) and absolute workspace paths under a particular user's home. Requesting or embedding these secrets and paths without declaring them is disproportionate and potentially exposes credentials.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. It does run subprocesses and invoke network APIs, but autonomous invocation defaults are unchanged. There is no self-install script that modifies other skills' configs in the provided files.