ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小红书图文发布

v1.0.0

小红书创作者平台写帖子:mcporter 调用 chrome-devtools-mcp 操作浏览器,禁止 browser 工具。上传图片、填写标题正文,发布由用户手动完成。

1· 1k·7 current·7 all-time
by@yewenwu1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description say it will automate Xiaohongshu publishing using mcporter -> chrome-devtools-mcp. Declaring mcporter as a required binary matches that purpose. No unrelated environment variables, credentials, or config paths are requested.
Instruction Scope
The SKILL.md tells the agent to use mcporter to control the browser and to list (ls) a user Desktop folder to locate images for upload. Reading the Desktop to find images is proportional to the task, but the instructions are minimal/ambiguous about exact mcporter commands and give the agent discretion to run devtools operations. A positive control is that final 'publish' is explicitly left to the user, preventing fully automatic posting.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest-risk delivery method. It relies on an existing mcporter binary being present rather than downloading code.
Credentials
No environment variables, credentials, or config paths are requested. Requiring only mcporter is proportionate to a browser-automation publishing task.
Persistence & Privilege
always is false, the skill is user-invocable, and it does not request persistent presence or modify other skill/system configs. Model invocation is allowed (the platform default) but not combined with other concerning flags.
Assessment
This skill appears coherent, but take these practical precautions before installing: 1) Verify the mcporter binary on your system is legitimate and from a trusted source — the skill will invoke it to control your browser. 2) Be aware the agent will run filesystem commands (ls) and access files under the specified Desktop folder to find images — don't store sensitive files in that folder. 3) If you want tighter control, ask the skill author or maintainer for the exact mcporter/devtools commands it will run, or run it manually the first time to observe behavior. 4) Note that the final 'publish' step is left to the user, so posts won't be published automatically without your confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk979ncgwqg6p27t71v2wa9vcwd824r7f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📕 Clawdis
Binsmcporter

Comments