by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to check before installing/using:
- Ask the author to explain '浏览器需要配置 SSRF 策略' — why is SSRF needed and exactly what configuration is required? This is unusual and can weaken network protections.
- Confirm how browser automation is performed and whether the skill or agent will have access to your browser's logged-in sessions/cookies. Do not use your primary/production accounts until you verify behavior.
- Note the jimeng-download.py uses PowerShell (Invoke-WebRequest) — it is Windows-speci...详细分析 ▾
ℹ 用途与能力
The name/description match the files: SKILL.md describes browser automation to publish to multiple Chinese social platforms and two helper scripts are included. However the code does not actually implement browser automation: video-publish.py only prints instructions and jimeng-download.py shells out to PowerShell to download a URL. There's a mismatch between claimed automated publishing and the limited, mostly-instructional code.
⚠ 指令范围
SKILL.md instructs the agent to '自动打开浏览器, 依次登录并发布' and to extract video src via JS from a logged-in page then download it. It also instructs '浏览器需要配置 SSRF 策略' (unclear why/how). These steps rely on controlling a browser session and accessing authenticated resources; that gives the skill access to whatever accounts are logged in in the browser. The SSRF instruction is ambiguous and could imply configuration that weakens network boundaries. The agent is told to run JavaScript in pages and to use system-level downloads (PowerShell), which go beyond simple text generation and warrant caution.
✓ 安装机制
No install spec and no external downloads at install time—this is instruction-first and thus lower install risk. The included Python scripts are small and not installing dependencies or pulling remote archives.
ℹ 凭证需求
The skill requests no environment variables or credentials, which is consistent with the idea of using the user's browser sessions and QR logins. However SKILL.md and PLATFORM_GUIDE mention maintaining logged-in browser pages and even list example account IDs, which is unexpected for an instruction-only skill from an unknown source. Also the instruction to configure 'SSRF 策略' is unexplained and potentially disproportionate.
✓ 持久化与权限
always is false and there's no install that persists or modifies other skills or system-wide configs. The skill relies on ephemeral browser automation and user logins; autonomous invocation is allowed by default but is not combined with any additional privileged flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/22
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install social-publish
镜像加速npx clawhub@latest install social-publish --registry https://cn.longxiaskill.com