Back to skill
Skillv1.0.0
VirusTotal security
Xiaohongshu Auto Publish · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 5:12 AM
- Hash
- bdad645dadfa23392b560d0626c97a5861e028e97570c081ace226f7fcad33b6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xiaohongshu-auto-publish Version: 1.0.0 The skill bundle contains a hardcoded sensitive API secret key (sk_4eacbcc9e4411bd1490794b27867199f9801e3150b4c354541e6a2927931a06e) across multiple files, including skill.py, publish.sh, and configure_skillpay.py. It also relies heavily on hardcoded absolute file paths (e.g., /Users/xiaofang/...) which are non-portable and indicate a poorly secured or environment-specific configuration. While the logic appears to fulfill the stated purpose of automating Xiaohongshu posts, the integration with an external payment verification service (skillpay.me) and the exposure of credentials represent significant security vulnerabilities.
- External report
- View on VirusTotal