Skillv1.0.2

ClawScan security

xiaohongshu-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 2:12 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement the claimed Xiaohongshu browser-automation capabilities and mostly stays within scope, but it persistently stores browser profiles/cookies under your home directory and the SKILL.md contains a detected unicode-control-chars prompt-injection signal — review persistence and the SKILL.md before installing.
Guidance: What to check before installing/using this skill: - Understand persistence: the tool creates ~/.xhs (Chrome profiles, accounts.json) and temporary session files; logged-in cookies and profiles are stored locally and grant ongoing access to your logged-in Xiaohongshu sessions. If you don't want persistent credentials on your machine, do not use it or run it in an isolated container or VM. - Inspect the SKILL.md and code you received (especially any non-ASCII/control characters). The scanner found unicode-control-chars in SKILL.md — open the file in a hex-capable editor to ensure there are no invisible manipulative characters. - Confirm provenance: source is listed as a GitHub repo; verify that the repo owner and releases are legitimate (check commit history, stars, issues). Prefer installing from an official GitHub release rather than a zip from an unknown mirror. - Run in an isolated environment for first use: a disposable VM, container, or dedicated user account will limit impact if something unexpected happens. After installation, inspect files created under ~/.xhs and temp directories. - Review optional env vars and network behavior: CHROME_BIN, XHS_PROXY can change runtime behavior (proxy routing). If you see unexpected proxy settings, do not proceed. The tool opens Chrome with remote-debugging; ensure your machine/network policies allow this. - Check and limit automation scope: the SKILL.md mandates using only this project's CLI — that is not malicious by itself, but be cautious when granting agents autonomous invocation; verify the agent only runs expected CLI commands and requires explicit user confirmation for publish/comment actions. If you want, I can (a) point out exactly which files persist sensitive data and where, (b) extract and show any non-printable characters from SKILL.md, or (c) suggest a minimal containment/run strategy (docker commands) for testing safely.
Findings: [unicode-control-chars] unexpected: A pre-scan flagged unicode control characters inside SKILL.md. This can be benign (formatting, non-visible characters) but is a common pattern used in prompt-injection or obfuscation. The rest of the SKILL.md appears coherent, but you should inspect the SKILL.md raw bytes (and any non-ASCII characters) for hidden instructions or suspicious invisible characters that could alter how text is parsed or displayed to agents.

Review Dimensions

Purpose & Capability: okThe name/description (Xiaohongshu automation: login, publish, search, interact, ops) matches the included scripts and sub-skill SKILL.md files. The project provides a CDP-based Python automation engine, CLI commands, account management and publish pipelines — all expected for the stated purpose. Required binaries (python3, uv) align with the codebase.
Instruction Scope: noteThe SKILL.md explicitly instructs the agent to only run the project's CLI (python scripts/cli.py) and to use absolute paths and user confirmation flows; that keeps runtime actions narrowly scoped to browser automation. However, SKILL.md and CLI cause the agent to: (a) start/manage Chrome with remote debugging, (b) write/read files under /tmp and the user's home (~/.xhs), (c) display QR codes and expose login URLs in responses. Those behaviors are necessary for automation but mean the skill will read/write persistent local state (profiles/cookies) and present external login links — review these flows carefully.
Install Mechanism: okThere is no automated install spec in the registry metadata (instruction-only SKILL.md), so nothing will be downloaded/installed automatically by the platform beyond the listed files. The README suggests manual download/uv sync to install Python deps; that is a reasonable, low-risk install approach when performed manually.
Credentials: noteThe skill declares no required environment variables, which fits. However the code honors optional env vars (CHROME_BIN, XHS_PROXY) and will create persistent files under ~/.xhs (Chrome profiles, accounts.json) and temp session files; cookies and Chrome profiles persist login state and effectively store credentials/session tokens. Persisting session data is expected for browser automation, but it is sensitive — the skill does not declare these persistence details in the top-level requires.env. Verify you are comfortable with persistent browser profile/cookie storage and any proxy settings before use.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges, but it creates and manages persistent state: Chrome profiles and cookies under ~/.xhs, account metadata (~/.xhs/accounts.json), and session/login tab files under the temp directory. That grants the skill ongoing local access to authenticated sessions after login — expected for this use case but a material persistence/privilege consideration for security-conscious users.