Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
App Publish
v1.0.5自动化在快手、B站和抖音三个平台通过Chrome浏览器脚本发布视频,支持标题、封面、关键词填充及登录检查。
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: the package implements Chrome/CDP-based automation to publish videos to Kuaishou, Bilibili and Douyin. Required capabilities (CDP, file inputs, selectors) align with the stated purpose.
Instruction Scope
SKILL.md restricts actions to running the provided Python CLI and browser automation. The code adheres to that (navigating upload pages, setting file inputs, filling forms). However the CDP client can execute arbitrary JS on pages and debug helpers save full page HTML to disk — meaning the skill can read page content, DOM, and potentially data in pages (cookies/localStorage visible via JS) if run against an authenticated browser session. This is expected for automation but important to be aware of.
Install Mechanism
This is an instruction+code skill with no install spec; dependencies are standard Python packages (requests, websockets) declared in pyproject and requirements.txt. No downloads from external URLs or archive extraction are present in the manifest.
Credentials
Manifest declares no required env vars, but code reads CHROME_BIN and proxy env vars (KBS_PROXY, HTTPS_PROXY, HTTP_PROXY) and uses a default user-data-dir (~/.kbs/chrome-profile). The skill will therefore interact with environment variables and a browser profile not declared in the registry metadata. Also, because it connects to a running Chrome debug port and can reuse a profile, it will operate with whatever authenticated sessions exist in that profile — a high-impact capability that should be explicit to users.
Persistence & Privilege
The skill does not request always:true and is not force-enabled. It may create/use a local Chrome profile directory (~/.kbs/chrome-profile) and can spawn/terminate Chrome processes (including killing processes listening on the CDP port). Those are reasonable for a browser-automation tool but constitute local persistence and process-control privileges the user should accept consciously.
What to consider before installing
What to consider before installing:
- Functionally this package does what it claims: it automates Chrome to upload videos and fill forms. That requires access to your local video/cover files and to a Chrome session that is logged in to the target platforms.
- High-impact capability: it connects to a Chrome debug port and can reuse a browser profile — if you point user-data-dir at a profile that contains your real accounts the skill will act with those authenticated sessions. Use a dedicated Chrome profile (create a new user-data-dir) to isolate credentials.
- The code executes arbitrary JS in pages and can save page HTML to disk (debug helpers). Treat it as able to read page content, DOM, and client-side data; do not run it against sensitive accounts unless you trust the author.
- Environment variables: CHROME_BIN and proxy env vars (KBS_PROXY/HTTP[S]_PROXY) are respected though not listed in the registry metadata. Do not set a proxy you don't trust.
- Safety steps: review the full source locally, run first with --no-publish to confirm behavior, run in an isolated environment or VM, and point --user-data-dir to a throwaway Chrome profile. If you need higher assurance, have a developer audit the remaining omitted files or run the skill in a sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk974gvry8fev910fzsx9cwytzh8463gx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.