Xiaohongshu Mcp 1.0.0
Security checks across malware telemetry and agentic risk
Overview
The skill is openly aimed at Xiaohongshu automation, but it can use a logged-in account to publish public content through an externally downloaded local server without clear approval, credential-scope, or provenance safeguards.
Only install this if you are comfortable running the external Xiaohongshu MCP binaries and giving them access to a logged-in Xiaohongshu account. Start the local server only when needed, verify the downloaded release yourself, and require manual review before any publish command is run.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could post public content to the user's Xiaohongshu account if invoked with publish arguments.
The bundled client can publish content to the logged-in Xiaohongshu account directly through the local server, with no confirmation prompt or approval gate shown before the account mutation.
def publish_note(title, content, images, tags=None): ... requests.post(f"{BASE_URL}/api/v1/publish", json=payload, timeout=120)Require explicit user confirmation immediately before publishing, show the exact title/content/images/tags, and document how to delete or roll back a post.
The local server may retain access to the user's Xiaohongshu account and perform account actions while the session remains valid.
The skill depends on a reusable Xiaohongshu account session, but the artifacts do not explain where that session is stored, how it is scoped, how it is revoked, or how account authority is limited.
Run the login tool. It will open a browser window with a QR code. Scan it with your Xiaohongshu mobile app. ... Do not log into the same Xiaohongshu account on any other web browser, as this will invalidate the server's session.
Clearly declare the credential/session requirement, document storage and logout/revocation steps, and limit account actions to user-approved operations.
Users must trust an external binary that handles a logged-in social media session and publishing actions.
The setup relies on downloaded executable binaries and a login tool, but the artifacts provide no pinned release version, checksum, signature verification, or reviewed install specification.
Download the appropriate binaries for your system from the GitHub Releases page. ... chmod +x xiaohongshu-mcp-darwin-arm64 xiaohongshu-login-darwin-arm64
Pin an exact release, provide checksums or signatures, document the binary provenance, and prefer a reviewed install specification.
If the local server is reachable by other local tools or agents, they may be able to query feeds or trigger account actions while the user is logged in.
The client sends account actions to a local MCP HTTP server, and the artifacts do not show an authentication header, caller identity check, or boundary explaining which local processes may access the server.
BASE_URL = "http://localhost:18060" ... requests.post(f"{BASE_URL}/api/v1/publish", json=payload, timeout=120)Run the server only when needed, bind it to localhost only, add API authentication or per-action approval, and document the local access boundary.