ClawHub

小红书

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its XiaoHongShu automation purpose, but it needs review because it can change account state, includes underdocumented engagement-manipulation code, logs session cookies, and uses unsafe config execution.

Install only if you understand that this can use a XiaoHongShu session cookie to act as your account. Avoid important accounts, do not paste cookies into shared logs or chats, and review or remove the read-count metrics workflow, comment mutation APIs, session-cookie logging, and eval-based config parser before using it in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

eval() call detected

High
Category
Dangerous Code Execution
Content
"""
        获取配置项的通用方法
        """
        return eval(self.config.get(section, key, fallback=fallback))

# 单例模式
xhs_config = Config()
Confidence
99% confidence
Finding
return eval(self.config.get(section, key, fallback=fallback))

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly enables outbound network access to XiaoHongShu endpoints and related services, but the metadata does not declare permissions accordingly. Undeclared network capability is dangerous because it reduces transparency for users and hosting platforms, making data exfiltration, scraping, or account-affecting requests harder to evaluate before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented description presents the skill as a data collection and interaction toolkit, but the detected behavior includes materially more sensitive capabilities such as comment posting/deletion, login flows, and metrics/reporting that can simulate engagement. This mismatch is dangerous because operators may invoke the skill under the assumption it is primarily read-only or limited, while it can perform hidden account actions or platform-manipulating behavior.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This file adds authentication and account-verification capabilities, including QR login and SMS code sending, which materially expand the skill from passive data collection into account access workflows. In the context of a scraping/interaction toolkit that already handles session cookies and anti-bot parameters, this increases the risk of unauthorized account takeover, misuse of user sessions, or deceptive automation beyond the declared scope.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This code does more than passive data collection: it actively simulates user engagement by sending note-entry/exit metrics and packaging the behavior as a way to 'increase' read counts. That is dangerous because it enables artificial inflation of platform engagement signals and can be used for fraud, manipulation of ranking systems, or evasion of anti-abuse controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The randomized branch and sleep interval are designed to mimic human dwell behavior before submitting engagement reports, which indicates deliberate anti-detection behavior rather than normal API access. This is dangerous because it helps automated abuse appear organic, increasing the effectiveness of fake engagement and reducing the chance of detection by platform defenses.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The function builds a seemingly dynamic browser fingerprint, then overwrites it with a hard-coded snapshot containing fixed user agent, cookies, referer, and navigation state. In a scraping/interaction toolkit that claims to automatically handle anti-bot parameters, this strongly indicates deliberate browser impersonation and reuse of embedded session-linked values, which can enable unauthorized access or account/session misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises follow and like features without clearly warning that these operations will execute real account actions on behalf of the user when authenticated. This is dangerous because users may supply a session cookie for data access and inadvertently authorize social interactions, reputational changes, or policy-violating automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to provide a web_session cookie for authenticated access but does not include strong handling guidance for this sensitive credential. Session cookies can grant account access equivalent to login, so exposing them in prompts, logs, shared notebooks, or transcripts can lead to account takeover or unauthorized actions.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The function transmits a phone number to a remote login endpoint, which is sensitive personal data. In this skill's context, the toolkit is designed for scraping and automated interaction, so embedding login/SMS initiation without any visible consent, disclosure, or guardrails raises privacy and abuse concerns, including unsolicited OTP triggering or user enumeration workflows.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The like_note method issues a state-changing request that affects a user account without any built-in confirmation, consent boundary, or safeguard in this API layer. In a toolkit that supports automation against a social platform, this is dangerous because downstream callers can trigger account actions silently and at scale.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The entry metrics reporting transmits viewer and author identifiers plus interaction metadata to the remote service, and the code provides no disclosure, consent, or minimization controls. This is risky because it normalizes silent tracking behavior and can be combined with automation to generate misleading engagement records tied to specific accounts.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The exit metrics reporting continues the same undisclosed telemetry pattern by sending identity and engagement-related fields, including stay duration and comment-read state. This is dangerous because it creates a complete synthetic engagement trail that can misrepresent user behavior and expose account-linked activity without clear user awareness.

Missing User Warnings

High
Confidence
97% confidence
Finding
This workflow explicitly gathers account identity, fetches note details, generates a request ID, sends entry/exit metrics, and uses randomized timing to make the activity look real, all under a method named to increase read count. In the context of a XiaoHongShu automation toolkit, that makes the behavior especially dangerous because it directly enables covert manipulation of platform analytics and account-linked abuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This finding describes the same dangerous behavior: configuration entries are treated as executable code with no safety boundary. Even if intended for convenience, evaluating config values creates a code injection primitive through a file that is normally expected to contain data, not code.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code takes fingerprint/profile data, encrypts it, and prepares it for transmission to a remote XiaoHongShu endpoint without any visible consent, minimization, or disclosure controls. In this skill context, the data appears to support device/browser fingerprinting for anti-bot or tracking purposes, which increases privacy and compliance risk because encryption only obscures the payload in transit and does not reduce the sensitivity of the collected data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The fingerprint includes the full cookie string in x57, which can expose session identifiers and authentication material to downstream logs, storage, telemetry, or third-party services. In this skill's context, the metadata explicitly mentions handling cookies such as a1 and web_session, so collecting and propagating full cookies materially increases the risk of credential leakage and account compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal