Is c4chuan/csdn-publisher safe?

https://github.com/openclaw/skills/tree/main/skills/c4chuan/csdn-publisher

87
SAFE

This appears to be a legitimate tool for publishing content to CSDN with appropriate browser automation functionality. While it has some elevated privileges and complex code execution capabilities, all functionality appears consistent with its stated purpose and no malicious behavior was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Sensitive file access during installation -15

The skill installation process accessed several sensitive files including SSH keys, AWS credentials, and environment files. While no exfiltration was detected, this creates potential attack surface.

MEDIUM Browser automation and CDP injection capabilities -20

The skill includes sophisticated browser automation using Playwright and Chrome DevTools Protocol for content injection. While legitimate for CSDN publishing, these capabilities could theoretically be misused.

LOW Canary file access without modification -10

Multiple canary files were accessed during installation, though no modifications or exfiltration was detected. This indicates the installation process had broad file system access.

LOW Complex documentation could obscure instructions -5

The skill contains extensive documentation (over 500 lines) which could potentially be used to hide malicious instructions, though none were detected in this analysis.