ClawHub

Easy Xiaohongshu

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Xiaohongshu content-generation purpose, but it includes live posting, plaintext secret storage, and an under-documented background auto-commit script that should be reviewed before install.

Review this before installing if you plan to use publishing or auto-sync. Treat config/local-config.json as a secret, do not commit it, verify the MCP URL is one you trust, and avoid running setup-auto-sync.sh unless you explicitly want background git commits of this skill directory. VirusTotal telemetry was pending and did not drive this verdict.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The installer header says it only sets up the environment, installs dependencies, and guides API key configuration, but it also configures publishing-related MCP settings and probes a local MCP service. This is a transparency and informed-consent issue: users may authorize the script under a narrower understanding than what it actually enables.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README invites invocation with a broad natural-language request ('帮我制作内容') without clearly constraining whether the skill may proceed all the way through generation and publication. In a skill that can generate images and publish to a live Xiaohongshu account, ambiguous triggering increases the risk of unintended high-impact actions being initiated from casual user phrasing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes an end-to-end flow culminating in automatic publication to Xiaohongshu, but it does not prominently warn that this can affect a real logged-in account. Because publication is an externally state-changing action tied to a persistent authenticated session, insufficient warning can lead users to authorize or invoke the skill without appreciating that it may post live content.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The configuration section explains how to place API keys in local files and notes that login sessions are saved after first login, but it does not clearly warn about the sensitivity of these secrets and session artifacts. This omission can lead users to store credentials insecurely, commit them to version control, or underestimate the risk of local compromise enabling unauthorized API use or account posting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads an API key from the terminal and stores it in a plaintext local JSON file without warning about credential sensitivity, file permissions, or safer alternatives. If the workspace is shared, backed up, committed, or readable by other local users, the key can be exposed and abused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The publish subcommand directly invokes an external posting action via publish_note() using user-supplied title, content, images, and tags, but this file provides no user-facing warning, dry-run mode, or confirmation prompt before making the irreversible side effect. In a CLI that automates social-media publishing, accidental execution, script misuse, or unsafe chaining in automation can cause unintended public posts, reputational harm, or disclosure of sensitive content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function sends prompts derived from user-controlled fields such as account_type, content_direction, target_audience, and topic to an external Gemini API via requests.post. In this file there is no visible consent flow, redaction, or disclosure mechanism, so potentially sensitive business or personal content may be transmitted to a third party without the user's informed awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function transmits title, body text, tags, and base64-encoded local images to a remote MCP endpoint with no explicit consent, disclosure, or trust validation visible in this code path. In an agent skill context, this can cause unintended exfiltration of sensitive user content or local files if callers do not clearly understand that publication involves remote transmission.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal