ClawHub
Back to skill

Security audit

xhsmander

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Xiaohongshu automation tool, but it gives a third-party Docker service persistent ability to act on a live social account with weak scoping and no required confirmation steps.

Install only if you trust the Docker image and are comfortable letting it use your Xiaohongshu account. Require the agent to show the exact post or interaction and get approval before publishing, liking, favoriting, or commenting. Run it only on a trusted machine, keep port 18060 local and protected, stop the container when finished, and delete stored cookies in `./data` if you no longer need the session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises and documents network access and file-writing behavior via Dockerized automation, but the skill manifest shown in SKILL.md does not declare permissions or present explicit capability boundaries. This creates a transparency and governance gap: users or hosting systems may invoke a skill that can write files and perform account-affecting remote actions without clear prior authorization.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common posting-related requests, which increases the chance the automation skill is invoked when a user only intended general advice or drafting help. In this context, mistaken activation is risky because the skill can initiate login, publish content, and interact with a real social-media account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports automated login, posting, search, and interaction on a live Xiaohongshu account, but the description does not foreground that these are account-impacting actions requiring informed consent. Because the documented tools include publishing and social interactions, insufficient warning can lead to unauthorized actions, account abuse, reputational harm, or platform-policy violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API reference documents state-changing actions such as publishing content, liking, favoriting, and posting comments, but it does not include any warning, confirmation requirement, or safety guidance about public posting and account-modifying effects. In an automation skill for a live social-media account, this increases the risk of accidental or unauthorized actions that could publish data publicly, spam other users, or alter account state without informed user consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs network requests to a local MCP service and writes the returned data, including a login QR code image, directly to fixed filesystem paths without any user confirmation, visibility, or validation. In the context of an automation skill that handles authentication, this can unexpectedly create sensitive artifacts on disk and trigger side effects against a local service, which is unsafe if invoked automatically or by an unsuspecting user.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends user-provided title, body text, image path, and tags directly to an external MCP tool that publishes to Xiaohongshu, but it provides no explicit notice, confirmation, or data-handling warning at the point of transmission. In an automation skill whose purpose is external posting, this is contextually expected, but it still creates a real privacy and consent risk because users may not realize their content and referenced image are being transmitted to another service and potentially published publicly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.