ClawHub

XHS-Ops: Xiaohongshu Operations Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for Xiaohongshu operations, but it can use a logged-in account to automate public comments with weak scoping and safety controls.

Install only if you intentionally want Xiaohongshu account automation. Use dry-run mode first, manually approve every live comment, verify and trust the xiaohongshu-mcp binary, avoid shared machines, delete /tmp/xhs-search-results.json after use, and prefer an isolated virtual environment for setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes substantial capabilities including shell execution, filesystem access, network access, and MCP access, but does not declare permissions or scope boundaries. This weakens user and platform visibility into what the skill can do, increasing the risk of unexpected local command execution, file access, or outbound/API actions when the skill is invoked.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and include common terms like "写一篇", "出内容", and "generate cover", which could cause the skill to activate outside its intended Xiaohongshu-specific context. Because the skill has powerful capabilities and can perform posting/commenting workflows, accidental invocation could lead to unintended automation, local execution, or account-affecting actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill supports automated commenting and actual comment posting, including non-dry-run execution, but does not present a prominent warning that this can affect a real Xiaohongshu account or trigger platform moderation, blocks, or reputation damage. In this context, automation against a social platform is especially sensitive because it can result in spam-like behavior, account sanctions, or unauthorized actions if invoked mistakenly or misused.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The comment-posting helper forwards feed identifiers, xsec_token values, and comment text directly to the MCP service, which may expose authentication/session-related tokens and user-generated content over HTTP. In this skill context, the helper is specifically designed to automate social-platform actions, so transmitting tokens to a local service without stronger transport and trust controls increases the risk of token misuse or interception if the local boundary is weak.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script sends user-supplied or configured keywords to an external MCP service via `mcp.search_feeds(...)` without any notice, consent flow, or warning that search terms leave the local environment. In an operations skill, keywords may contain campaign plans, sensitive topics, or internal research terms, so silent transmission creates a real privacy and data-handling risk even if it is expected functionality.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The script writes search results, including titles, authors, engagement metrics, IDs, and tokens, to a predictable file in `/tmp` without warning the user. On multi-user systems or environments where `/tmp` is shared or loosely controlled, this can expose operational research artifacts or platform identifiers to other local processes and users.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script installs Python packages globally and, on failure, retries with --break-system-packages, which can override distro-managed Python protections and alter the host environment without explicit consent. In a setup script for an agent skill, this is risky because users may run it directly and unintentionally destabilize their system Python or affect other applications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal