Skillv0.1.1

ClawScan security

Redbook Browser Ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 2, 2026, 2:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and scope align with its stated purpose (browser-automated publishing to Xiaohongshu) and it does not request unrelated credentials or install code.
Guidance: This skill appears to do what it claims: automated interactions on creator.xiaohongshu.com. Before installing, verify two things: (1) the agent/platform will always pause and require the exact confirmation phrase before any 'publish' action (test with a dry-run or draft-only flow first), and (2) any local image paths you provide will be read/uploaded by the agent—do not point it at directories containing sensitive files. Because this is instruction-only, there is no bundled code to review, so only the runtime enforcement of the confirmation and your browser session controls stand between the agent and publishing. If you want extra caution, restrict the agent to draft-only mode or disable autonomous invocation until you are comfortable with its behavior.

Review Dimensions

Purpose & Capability: okName/description match the SKILL.md: it automates publishing, drafting, replies, and metrics on creator.xiaohongshu.com. It does not ask for unrelated binaries, cloud credentials, or config paths—everything requested is proportionate to a browser-automation publishing task.
Instruction Scope: noteInstructions are narrowly scoped to actions on the official creator site (login, open publish page, fill title/body, upload images if provided, require explicit publish confirmation). The skill does reference local image paths (it will need access to image files the user supplies) and may take snapshots for failure handling; these are reasonable for the purpose but the user should expect the agent to access any image paths provided and to capture screenshots of the page when troubleshooting.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is low-risk from an install perspective because nothing is downloaded or written to disk by the skill package itself.
Credentials: okNo environment variables, credentials, or config paths are requested. That is appropriate for a skill that operates through the user's logged-in browser session rather than using third-party API keys or external services.
Persistence & Privilege: notealways:false (normal). The skill allows model invocation (disable-model-invocation:false), which is the platform default. The SKILL.md requires explicit, per-turn confirmation before publishing—this mitigates autonomous posting risk, but you should confirm that the agent/platform enforces that confirmation step in practice before granting the agent permission to act autonomously.