ClawHub

xiaohongshu-skill

Security checks across malware telemetry and agentic risk

Overview

This skill automates a real Xiaohongshu account and includes anti-detection behavior plus under-disclosed handling of login QR data by a third-party service.

Install only if you are comfortable giving the skill control of a logged-in Xiaohongshu browser session. Review the QR-login code before use, because it sends login QR material to a third-party QR service. Prefer staged publish flows, manually verify the selected account and exact content before any public post or comment, and avoid using the stealth automation features where platform rules or account safety matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes local Python scripts, launches a browser, reads and writes files, and performs networked actions against XiaoHongShu, yet it declares no permissions or trust boundaries. This creates a capability-transparency gap: a caller or platform may underestimate what the skill can do, increasing the risk of unintended command execution, file access, account actions, and external communications.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code explicitly injects a stealth script on every new document, which is an anti-detection mechanism intended to mask browser automation from the target site. In the context of a Xiaohongshu automation skill, this increases risk because it enables covert interaction with a third-party platform and can facilitate terms-of-service evasion or abusive automation without user awareness.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The browser setup overrides the user agent and randomizes viewport/device metrics specifically to disguise automated control as a more natural user environment. Combined with CDP automation for posting and interaction, this meaningfully increases the capability to evade bot detection on Xiaohongshu and makes the automation less transparent and more abuse-prone.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code uploads login QR-code image bytes to api.qrserver.com for decoding, even though the QR content is tied to Xiaohongshu authentication. Login QR codes are authentication artifacts; sending them to an unrelated third party can expose session-initiation links or other sensitive login material, creating an unnecessary data exfiltration path outside the stated automation purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims an exhaustive whitelist of allowed publishing commands, but later requires additional commands not included in that list. This inconsistency weakens operator trust boundaries and can cause agents or reviewers to incorrectly enforce or bypass command restrictions, increasing the chance of unintended tool use.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document mandates use of `save-draft` during cancellation flows while asserting that only a fixed set of subcommands may be used, and `save-draft` is omitted from that set. In an adversarial skill setting, contradictory guardrails are dangerous because they create ambiguity about what execution is authorized and can be exploited to justify off-policy command expansion.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The account-selection step requires `python scripts/cli.py list-accounts`, but that command is not included in the supposedly exhaustive allowed subcommand list. This undermines the integrity of the stated execution boundary and can lead agents to normalize exceptions, which is especially risky in a skill that performs authenticated actions on user accounts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes automated likes, favorites, comments, and other social interactions on a real user account, but it does not clearly warn users about account sanctions, rate limits, anti-bot enforcement, or integrity/policy risks. In the context of a browser automation skill for Xiaohongshu, this omission is security-relevant because it can lead users or downstream agents to perform high-risk actions without informed consent or guardrails.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents publishing workflows, including one-step and staged posting commands, without an explicit warning that these actions can publish publicly from the user's authenticated Xiaohongshu account. In an agent-skill context, that is dangerous because an agent or user may trigger irreversible public posting, reputational harm, or accidental disclosure without a clear notice and confirmation boundary.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger is broad enough to activate on many ordinary requests related to posting, searching, liking, logging in, or analysis, which can cause the skill to engage without sufficiently precise user intent. In a skill that can authenticate accounts, publish content, comment, and perform interactions, over-triggering increases the chance of unintended sensitive or state-changing actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file contains stealth injection, UA spoofing, and browser fingerprint manipulation without any visible warning, consent flow, or operator-facing explanation of the risks. This is dangerous because it normalizes covert evasion behavior in a social-platform automation tool, making misuse easier and reducing the chance that users understand they are operating in a deceptive mode.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code directly automates posting and replying to comments on Xiaohongshu with no explicit confirmation, rate limiting, approval gate, or policy checks in this module. In a social-platform automation skill, this creates a realistic risk of spam, abusive mass engagement, or accidental posting under a logged-in account if invoked by another component or prompt without sufficient user intent validation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The file transmits QR-code image bytes derived from the login flow to a third-party QR decoding service without any visible disclosure or consent mechanism. Because the QR is part of an authentication workflow, undisclosed external transmission increases privacy and account-compromise risk and violates least-privilege expectations for a login helper.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function `click_publish_button` directly triggers a real publish by clicking the platform's publish button, with no in-function confirmation gate, dry-run mode, or last-moment user approval check. In an automation skill that can log in and post to a real social platform, this creates a meaningful risk of unintended or unauthorized publication if upstream prompts, agent planning, or content generation are mistaken or manipulated.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill metadata and trigger text are broad enough to activate on a wide range of Xiaohongshu-related requests, which can cause the agent to take over actions such as login, posting, commenting, liking, or account operations without sufficiently narrow scoping. In an automation skill that performs authenticated social-media actions, over-broad triggering increases the chance of unintended execution on ambiguous prompts and can lead to unauthorized or surprising account activity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents destructive operations like deleting cookies, removing accounts, and logging out without requiring an explicit warning or confirmation immediately before execution. In this context, those actions can disrupt active sessions, erase local authentication state, and remove configured account profiles, making accidental or ambiguous invocation materially harmful.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is broad enough that normal user requests about analysis, creation, or interaction on Xiaohongshu could invoke this high-impact automation skill without sufficiently precise scoping. Because the skill can perform account actions such as posting, commenting, liking, and favoriting, an overly broad trigger increases the chance of unintended execution of social-platform operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description says the skill triggers when users ask to search Xiaohongshu, view note details, browse the homepage, or view user profiles, using broad natural-language categories without clear exclusion conditions. In an agent environment, this can cause unintended invocation on loosely related requests, leading the agent to access browser-authenticated social content or account context when the user did not explicitly intend to use this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The input-classification rules use vague examples such as '找内容', '看这篇帖子', and '看看这个博主' without requiring explicit platform identification or validation of needed parameters. Because this skill operates against a logged-in Chrome session and can retrieve social content, ambiguous routing increases the chance of accidental data access, cross-skill misfires, or unintended use of a selected account.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger description is broad enough to overlap with ordinary user requests about Xiaohongshu actions such as commenting, liking, or saving content. In an agent system, this can cause unintended activation of a skill that performs real account actions, increasing the risk of accidental social interactions or account misuse without sufficiently specific user intent.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal