v1.0.0

XHS-Ops: Xiaohongshu Operations Toolkit

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:23 AM.

Analysis

This Xiaohongshu toolkit is coherent for content operations, but it needs careful review because it can use a logged-in Xiaohongshu session to post public comments and depends on an external MCP binary that handles account access.

GuidanceTreat this as a tool that can act on your Xiaohongshu account, not just a content generator. Before installing, verify the external xiaohongshu-mcp binary, keep the MCP service local and trusted, use dry-run first, manually approve every comment or post, and clean up the saved /tmp search results and login session when finished.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/comment.py

result = mcp.post_comment(feed_id, xsec_token, comment_text)

The comment helper directly calls the MCP comment-posting function after only a blacklist check, with no explicit confirmation step in the function itself.

User impactAn agent workflow could publish comments on Xiaohongshu that the user has not individually reviewed, creating spam, moderation, or reputation risk.

RecommendationKeep dry-run as the default, require manual approval for every comment before calling post_single_comment, and enforce daily/comment-rate limits in the actual posting path.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/setup.sh

curl -L -o mcp.tar.gz https://github.com/xpzouying/xiaohongshu-mcp/releases/latest/download/xiaohongshu-mcp-darwin-arm64.tar.gz

The setup guidance pulls a latest-release external binary without a pinned version or checksum; that binary is central to login and Xiaohongshu API actions.

User impactThe account-control component comes from outside the reviewed package, so a changed or compromised release could affect the user's Xiaohongshu session.

RecommendationPin a specific reviewed release, verify checksums/signatures, and inspect the MCP binary source/release provenance before logging in.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Cookie expires ~30 days; re-login: `./xiaohongshu-login-darwin-arm64`

The skill relies on a persistent logged-in Xiaohongshu session even though the registry declares no primary credential, and other artifacts use that session to post comments.

User impactInstalling and using this skill can allow actions under the user's Xiaohongshu account, including public comments, until the session expires or is revoked.

RecommendationUse only with a trusted MCP binary and account, revoke or refresh the login session when done, and require explicit user approval before any account action.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/mcp_client.py

resp = requests.post(self.mcp_url, ... "method": "tools/call", ... "params": {"name": name, "arguments": arguments or {}})

The skill delegates searches, feed-detail retrieval, and comment posting to a local MCP service; this is expected for the skill but makes the MCP service a sensitive trust boundary.

User impactIf the local MCP endpoint or its configuration is not trusted, Xiaohongshu data and account actions could be routed through the wrong service.

RecommendationKeep the MCP URL on a trusted local endpoint, do not expose the MCP port to other machines, and confirm which MCP server is running before using account actions.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/search_hot.py

RESULTS_PATH = "/tmp/xhs-search-results.json"

Search results are persisted in a shared temporary file for later tools, and the saved records include feed IDs, titles, authors, engagement metrics, keywords, and xsec_token values.

User impactOther local processes or later agent steps may read or reuse platform result data that was saved for the workflow.

RecommendationDelete /tmp/xhs-search-results.json when finished, avoid storing sensitive campaign data there, and consider a user-private cache location with tighter permissions.