Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Social Publisher
v1.0.0One-click publishing to Juejin, Zhihu, Weibo, and Xiaohongshu with scheduling, format adaptation, and publishing logs using platform cookies.
⭐ 0· 71·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims support for Juejin, Zhihu, Weibo, and Xiaohongshu in the description, but the bundled code (scripts/social_publisher.py) only implements juejin, zhihu, and weibo. package.json and SKILL.md refer to repository/hosting on an unfamiliar domain; no homepage is provided. These inconsistencies suggest the metadata and code are not fully aligned.
Instruction Scope
SKILL.md tells the user to put platform cookies in ~/.openclaw/workspace/config/social-publisher.json, but the script loads config relative to the skill bundle (CONFIG_FILE = W / 'config/social-publisher.json' where W = two levels up from the script). That mismatch means cookies placed as instructed may not be found, and cookies might instead be stored alongside the skill bundle. SKILL.md also references Xiaohongshu support and a note about captchas, but there's no Xiaohongshu code. The runtime instructions otherwise are limited to posting content and logging; there are no other surprising file reads or external endpoints beyond the platform APIs.
Install Mechanism
No install spec is included (instruction-only install). The bundle contains a Python script and package.json but nothing is downloaded at runtime. This is lower risk than an installer that fetches arbitrary code from the internet.
Credentials
The skill does not request environment variables, but it requires platform cookies (sensitive credentials) stored in a JSON config file. Storing cookies unencrypted in a filesystem path adjacent to the skill (memory/ and config/ under the bundle) may expose credentials to other local users or backups. Asking for cookies is proportional to the stated publishing purpose, but the SKILL.md/code path mismatch and lack of guidance on secure storage are concerning.
Persistence & Privilege
always is false and the skill only reads/writes its own config and log files (config/social-publisher.json and memory/social-publish-log.jsonl relative to the bundle). It does not request elevated privileges or modify other skills. Autonomous invocation is allowed by default but not itself flagged.
What to consider before installing
This skill is not outright malicious, but there are inconsistencies and privacy risks you should weigh before installing:
- Do not supply real account cookies until you trust the author. Test with throwaway accounts first.
- SKILL.md tells you to put cookies in ~/.openclaw/workspace/config/social-publisher.json, but the script actually reads config/social-publisher.json relative to the skill bundle. Confirm where cookies will be stored and avoid leaving them in a repository or world-readable folder.
- The description mentions Xiaohongshu but the script does not implement it — expect incomplete functionality.
- Logs are written to memory/social-publish-log.jsonl in the bundle; these may contain publish results and should be protected.
- Prefer encrypted/OS-protected credential storage over plaintext cookies in files; if you proceed, review scripts/social_publisher.py yourself (or have someone you trust do so) to verify there are no hidden endpoints or extra network calls.
If you cannot verify the code or do not want to risk exposing cookies, do not install or only use test accounts. If you decide to use it, ask the author to fix the config path mismatch, remove/clarify the payment/marketing text, and either implement Xiaohongshu or remove it from the description.Like a lobster shell, security has layers — review code before you run it.
automationvk97ftjfpn27gpm05jtk7jk5ykh8396nvchinesevk97ftjfpn27gpm05jtk7jk5ykh8396nvlatestvk97ftjfpn27gpm05jtk7jk5ykh8396nvpublishvk97ftjfpn27gpm05jtk7jk5ykh8396nvsocialvk97ftjfpn27gpm05jtk7jk5ykh8396nv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.