Naver Blog Publisher
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Naver Blog publishing skill, but it relies on an unpinned persistent local runner with account/session access and optional admin/control-plane tokens that are not clearly bounded.
Install only if you trust the external npx runner and understand that it can use your local browser/Naver session to publish. Prefer dry-run first, require explicit confirmation before live publishing, avoid using admin API keys unless absolutely necessary, and make sure you know how to stop and remove the local daemon.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong content or without final review, the user's Naver Blog could receive an unintended public post and the paid path may be used.
The skill exposes a live publishing command that can create a public blog post and trigger the paid path. This is purpose-aligned, but users should treat it as a high-impact action.
publish_live --title "Title" --body "Body" --tags "tag1,tag2" ... `publish_live` is the paid path
Require an explicit final user confirmation of title, body, tags, target account, and billing impact before running live publish.
A user or agent may provide broader control-plane or local-runner authority than is obviously necessary for a single blog publish operation.
The skill documents use of an admin API key fallback and an auto-loaded local token, while the registry metadata declares no required credentials or environment variables.
fallback: `CONTROL_PLANE_URL + ACP_ADMIN_API_KEY` - `X_LOCAL_TOKEN` optional and auto-loaded from `~/.config/naver-thin-runner/config.json`
Avoid admin-level fallbacks where possible; declare all credentials and environment variables, use narrowly scoped tokens, and document exactly what each token can access.
Running the setup may execute unreviewed remote code with access to the user's local environment, browser login flow, and later publishing workflow.
The reviewed artifact delegates execution to an external npx package without a version pin or included source, and that package is expected to handle setup for account-linked publishing.
npx @y80163442/naver-thin-runner setup --setup-url "<SETUP_URL>" --auto-service both
Provide a reviewed install spec or source files, pin the package version, document provenance, and avoid asking users to run unpinned npx commands for account-sensitive automation.
A local publishing service may continue running after setup and could retain access to local runner tokens or browser-authenticated publishing capability.
The setup and runtime instructions include creating auto-services and starting a local daemon, but the artifact does not define lifecycle controls or containment.
--auto-service both ... npx @y80163442/naver-thin-runner daemon start --port 19090
Make daemon installation opt-in, document stop/uninstall commands, bind only to localhost, require a scoped local token, and explain how sessions are cleared.