ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

luan-xhs-skill

v0.2.5

End-to-end Xiaohongshu operations including positioning, topic research, content production, publish execution, and post-incident recovery. Reusable across v...

0· 64·0 current·0 all-time
by@zarflan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims end-to-end Xiaohongshu operations and includes many Node/Python scripts that drive a headless browser (Playwright). However the registry metadata declares no required binaries or environment variables and there is no install spec. Running the included scripts clearly requires Node, npm packages (playwright), a Python runtime and Pillow, and a Chromium browser — the absence of these declared requirements is an inconsistency and should be clarified.
!
Instruction Scope
SKILL.md instructs the agent to run bundled scripts (login via SMS/QR, publish drafts/videos, generate covers, etc.) and to read local files like persona.md and _meta.json. The scripts explicitly capture cookies, localStorage and sessionStorage from the browser and save them to ~/.openclaw/workspace/xhs_user_info.json; they also write screenshots into the same workspace. Capturing and persisting session data is sensitive (it contains authentication material usable to act as the account). There is no remote exfiltration in the code, but local persistence plus autonomous invocation could let the skill re-use credentials without additional user steps.
!
Install Mechanism
No install spec is provided despite non-trivial runtime dependencies (Node scripts, Playwright and headless Chromium, Python+Pillow). That omission increases risk because it is unclear which packages/binaries will be expected/installed by the agent environment. The README suggests GitHub/Clawhub install commands, but there is no formal, verifiable install step here.
!
Credentials
The skill declares no required environment variables or credentials, yet the scripts read HOME and write to ~/.openclaw/workspace and delete proxy environment variables (process.env.*) at runtime. More importantly, the scripts persist cookies/localStorage (session tokens) for later reuse — effectively storing credentials without a declared primaryEnv. Capturing and reusing session cookies is proportional to the publishing purpose but is sensitive and should be explicitly documented and consented to.
Persistence & Privilege
The skill persists session artifacts under the user's HOME (~/.openclaw/workspace/xhs_user_info.json). Persisting sessions is required for automated publish flows, but it increases the blast radius: an autonomously-invoked agent or a later script run can use those sessions to act on the account. The skill does not set always:true, and it doesn't appear to modify other skills, but the combination of saved sessions + autonomous invocation capability is noteworthy.
What to consider before installing
What to check before installing: - Source trust: this package includes executable scripts that run a headless browser and will capture and save your account session (cookies/localStorage) to ~/.openclaw/workspace/xhs_user_info.json. Only install if you trust the skill author and repository. Ask for a canonical upstream (GitHub) URL and confirm maintainers. - Missing dependency declarations: the registry entry lists no required binaries or install steps, but the code requires Node/npm (and Playwright/Chromium), Python3 and Pillow. Ensure you run these scripts in a controlled environment (container, VM) and install Playwright/Chromium explicitly rather than letting unverified code pull binaries automatically. - Session persistence: understand that login scripts (QR or SMS) will store session/cookie data locally so subsequent publish scripts can act without re-authentication. Treat these files as sensitive credentials — inspect them, and delete/rotate them if you stop trusting the skill. - Proxy/env handling: the skill can clear proxy-related environment variables at runtime; this only affects the script process but be aware if you rely on proxies for monitoring/segregation. - Operational safety: if you allow autonomous invocation, the skill could reuse saved sessions to post content. If you want tighter control, require manual confirmation before any direct publish (use dry-run flags), or disable autonomous invocation for this skill in your agent policy. - Mitigations: run the skill in an isolated environment, audit the scripts yourself (they are present and readable), install dependencies yourself from known sources, and require explicit user consent before any '发布' (publish) action. Ask the publisher to add an install spec and declare required binaries and to document where session files are stored and how to remove them. What would reduce my concern: a clear install spec listing Node/Playwright/Python dependencies, an explicit statement in SKILL.md/README that sessions are stored locally and where, and a canonical upstream repo/homepage so you can verify authorship and updates.
scripts/xhs_publish_with_saved_session.js:42
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973y66b1vthqhxttbvg7c9h4h844389

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments