Skillv1.0.0

ClawScan security

Xhs Surfer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 9:09 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (automating browsing/interactions on 小红书) matches most instructions, but the runtime instructions reference sensitive local data (cookies file, private messages) and LLM API keys that are not declared in the skill metadata, and the skill asks you to pip-install a third-party package (and Playwright) — these mismatches and sensitive operations warrant caution.
Guidance: This skill automates account actions (likes, comments, follows) and can read local cookies files and private messages — anything that gives it your cookies, credentials, or API keys can be used to act as your account. Before installing or running it: 1) Review the xhs-surfer PyPI package and its GitHub repo source code yourself to ensure it does what it claims. 2) Do not supply real account cookies/credentials or primary API keys to an untrusted package; prefer a throwaway/test account when experimenting. 3) Be cautious about providing LLM API keys — the SKILL.md references OPENAI/QWEN keys but they are not declared in metadata. 4) If you proceed, run the package in an isolated environment (VM/container) and limit network/proxy access; verify rate limits and safety settings to avoid account bans. 5) If you need the agent to act on private data (cookies, messages), accept that those items will be accessed — only proceed if you trust the package and have audited its code.
Findings: [no_code_files_to_scan] expected: The static scanner had no code files to analyze because this is an instruction-only skill (SKILL.md). That explains the absence of regex findings, but also means the claim to pip-install a PyPI package (xhs-surfer) and the package's runtime behavior could not be inspected by static analysis.

Review Dimensions

Purpose & Capability: noteThe name/description (XHS automation: search, browse, like, comment, follow) align with the instructions (Playwright-based browsing, actions like like/comment/follow, login via QR or cookies). Requesting python3 and recommending pip install xhs-surfer / playwright is consistent with building a browser automation skill. However, the skill also exposes features that access private content (check_messages) and instructs reading a cookies file — capabilities that are sensitive even if coherent with the purpose.
Instruction Scope: concernSKILL.md tells the agent to: pip install a package, run Playwright (which will download browser binaries), login via cookies_file (reads a local cookies.json), perform account actions (likes, comments, follows), and check private messages. It also references environment variables for LLM providers/keys (OPENAI_API_KEY, QWEN_API_KEY) that are not declared in the skill's top-level requirements. Instructions to read local cookie files and inspect DMs increase the sensitivity and risk surface and are not explicitly represented in the skill metadata.
Install Mechanism: noteThere is no registry install spec, but SKILL.md instructs pip install xhs-surfer and running 'playwright install chromium'. Installing a third-party PyPI package and downloading Playwright browser binaries is a moderate install risk but expected for this functionality; the registry providing no automated install spec means the agent/user will perform the installation themselves. Verify the PyPI package source and repository before installing.
Credentials: concernThe skill metadata declares no required env vars, yet SKILL.md shows expected environment variables (OPENCLAW_LLM_PROVIDER, OPENAI_API_KEY, LLM_PROVIDER, QWEN_API_KEY) and includes LLM configuration examples containing API keys. It also uses cookies files and proxy addresses (which imply reading local config). Requesting or using LLM API keys and local cookies is plausible for comment generation and session auth, but the skill does not declare these as required credentials — this mismatch reduces transparency and increases risk of accidental key/cookie exposure.
Persistence & Privilege: okalways is false and the skill is user-invocable only; it does not request permanent/all-agent inclusion and does not claim to modify other skills or global agent settings. No unusual persistence or privilege escalation is requested.