ClawHub

小红书操作全集 Xiaohongshu All In One 基于api接口稳定快速

Security checks across malware telemetry and agentic risk

Overview

This is a real Xiaohongshu automation skill, but it needs review because it stores login cookies, can post or comment on live accounts, and downloads and runs an unverified local server binary.

Install only if you trust the publisher and the upstream MCP release source. Treat user_cookies.json, cookies.json, and xsec tokens like passwords, run it in an isolated working directory if possible, confirm the active account before posting or commenting, and review the downloaded server binary provenance before starting it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if len(parts) >= 2:
                            return int(parts[1].strip('"'))
            else:
                result = subprocess.run(
                    ["pgrep", "-f", process_name],
                    capture_output=True,
                    text=True,
Confidence
81% confidence
Finding
result = subprocess.run( ["pgrep", "-f", process_name], capture_output=True, text=True, timeout=10

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if background:
            log_path = self.work_dir / "mcp.log"
            if self.os_type == "windows":
                subprocess.Popen(
                    [str(server_path)],
                    stdout=open(log_path, "w"),
                    stderr=subprocess.STDOUT,
Confidence
88% confidence
Finding
subprocess.Popen( [str(server_path)], stdout=open(log_path, "w"), stderr=subprocess.STDOUT, creationflag

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cwd=str(self.work_dir)
                )
            else:
                subprocess.Popen(
                    [str(server_path)],
                    stdout=open(log_path, "w"),
                    stderr=subprocess.STDOUT,
Confidence
88% confidence
Finding
subprocess.Popen( [str(server_path)], stdout=open(log_path, "w"), stderr=subprocess.STDOUT, start_new_se

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates capabilities to read/write local files, invoke shell commands, and access the network, but it does not declare permissions explicitly. This weakens policy enforcement and user awareness, especially because the skill manages cookies, downloads binaries, and starts local services, all of which are sensitive operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes cookie import/export and stores account cookies in a local `user_cookies.json` file, but does not warn that these cookies are authentication secrets equivalent to session tokens. In the context of a multi-account automation client for Xiaohongshu, mishandled cookies could let an attacker hijack accounts or access private account actions if the file is exposed, shared, or committed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README provides ready-to-run commands for publishing posts and posting/replying to comments against live Xiaohongshu accounts, but does not warn that these operations change real account state and may create public-facing content. In an agent skill context, this is more dangerous because an automated system may invoke these commands on behalf of a user without fully appreciating that they are irreversible or externally visible actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger text is broad enough that the skill may be invoked for loosely related requests involving Xiaohongshu data or publishing, increasing the chance of unintended activation. In this context, unintended activation is risky because the skill can perform network operations, manipulate accounts, and publish content on behalf of a user.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes high-impact actions such as switching accounts, logging out, publishing content, and performing engagement actions without an explicit confirmation step or warning. Because these actions affect external accounts and public content, accidental or prompt-induced execution could cause reputational harm, account misuse, or irreversible platform actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists account cookies directly to `user_cookies.json` in plaintext, which exposes session secrets to any local user, backup system, malware, or process with filesystem access. In this skill's context, those cookies likely authenticate Xiaohongshu accounts, so disclosure can enable account takeover or unauthorized posting/data access without re-authentication.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`switch_account()` writes stored cookies into `cookies.json`, replacing whatever credentials were there before, which can silently expose or reuse sensitive session tokens across components that read that file. Because this skill manages multiple Xiaohongshu accounts and publishing actions, silent cookie replacement increases the risk of accidental cross-account actions, credential leakage, and unauthorized use if the file is monitored or shared.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code extracts ZIP/TAR archives from a remote release directly into the working directory using `extractall` without validating member paths. This is dangerous because a malicious archive can perform path traversal and overwrite arbitrary files outside the target directory, and in this skill it also stages executables that may later be run.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The service can forcibly kill a process owning the configured port, and may do so based on broad process-detection logic rather than a PID it previously spawned. In a multi-user or shared environment, this can disrupt unrelated local services and creates an availability risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal