ClawHub

Xhsfenxi Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed Xiaohongshu analysis/scraping tool, but it also uses saved session cookies, intercepts authenticated traffic, persists creator profiles, and includes account-writing and optional outbound automation that need careful review.

Install only if you intentionally want an authenticated Xiaohongshu scraping and analysis workflow. Treat the cookie file as a secret, review or disable post_comment() and onboarding automations, avoid enabling webhook/cron/update features unless you understand what they send or run, and periodically delete local blogger/report data you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (27)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The metadata claims a privacy-cleaned, methodology-only skill, but the README documents active cookie-backed scraping, API interception, and collection of user/content data. This discrepancy can cause operators to trust and deploy the skill under false assumptions, increasing the chance of unauthorized collection, privacy violations, or policy circumvention.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest claims a privacy-clean, methodology-only library with no analyzed blogger data included, yet later states that each run appends newly analyzed bloggers to a local database. Even if the initial package is clean, the runtime behavior still accumulates potentially sensitive profiling data, which contradicts the privacy representation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The onboarding asks to star the skill via an external API call using a bearer token, which is unrelated to Xiaohongshu analysis. This mixes marketing/account actions into a productivity skill and creates unnecessary token use and outbound network activity, raising the risk of over-privileged behavior and user manipulation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The heartbeat cron setup extends the skill into persistent scheduling and monitoring beyond its core analysis purpose. Persistent automation increases attack surface and can normalize long-lived background behavior without strong need, especially when tied to cookie state and notifications.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The auto-update workflow performs recurring network checks and proposes running update commands, which exceeds the declared analysis function. Update channels are security-sensitive; embedding them without strong provenance, signature verification, and user review creates supply-chain and unexpected-change risks.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Automatic posting of analysis summaries to Telegram/Feishu/Slack/Discord is outside the stated local-analysis/reporting role and introduces outbound sharing of generated data. Because the payload includes creator identity, findings, and document paths, it can leak sensitive or proprietary analysis to third parties if enabled without strict safeguards.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation says cookie files are local only and never transmitted, but the same skill later describes recurring health checks, push alerts, and webhook integrations that send status or result data outward. Even if raw cookies are not exfiltrated, the assurance is overly broad and can mislead users about the extent of external data flows.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The code persists analyzed blogger records, creator names, user IDs, tags, formulas, and archetype example names to local JSON files, which conflicts with the stated 'privacy-clean' and 'methodology-only' positioning. This creates a real data-retention/privacy risk because personal or profile-linked data can accumulate silently and be exposed, reused, or mishandled later.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The client includes a fully implemented `post_comment()` capability that performs authenticated account actions on a third-party platform, even though the skill is presented as a data collection and analysis library. This expands the trust boundary from passive scraping to active account manipulation, creating risk of spam, policy violations, reputational damage, or abuse if downstream agents call it without strong guardrails.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The top-level documentation frames the module as a scraping and analysis client, but the implementation also supports posting comments. This mismatch can mislead users, reviewers, or calling agents into granting broader privileges than expected, increasing the chance that a supposedly read-only tool is used for unsolicited platform actions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The example script performs real user-note collection and then enriches the dataset by fetching note details, which contradicts the stated 'privacy-clean' and 'methodology-only' positioning of the skill. Even though it uses a placeholder user ID, the code is directly operational for scraping a specific user's content and exporting it, creating privacy and compliance risk if used on real accounts.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code hard-codes paths to cookie files and related assets outside the skill's own directory, including a sibling project path for live authentication material. In a skill advertised as a 'pure methodology library', this creates unexpected access to sensitive session state and broadens the trust boundary, increasing the risk of unauthorized credential exposure or cross-project data access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The utility functions actively inspect live cookie validity, expiry, and freshness, which goes beyond passive methodology content and interacts with authentication state. Even though this code only reads and reports status, it operationalizes access to session artifacts and can facilitate continued use of authenticated accounts in a way not reflected in the skill description.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The workflow explicitly persists analyzed creator data into a blogger database, which contradicts the stated 'privacy-clean' positioning and creates undisclosed retention of profile-level data. Even if the source data is publicly visible, automatic storage and reuse increases privacy, compliance, and trust risks because operators may believe the skill is methodology-only while it is actually building a dataset.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The workflow merges user-provided documents and third-party enrichment into the analysis, which goes beyond a pure methodology library and increases the chance of ingesting, propagating, or misattributing external data. This is risky because it expands data collection scope without clear disclosure, provenance controls, or validation boundaries.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file states that blogger profiles are automatically appended after each invocation, meaning the skill accumulates a growing database of analyzed individuals despite being described as a privacy-clean distribution. This silent aggregation is more dangerous than one-off output generation because it creates long-term retained records and can enable profiling at scale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to log in, save cookies to disk, and reuse them for scraping, but provides no warning about the sensitivity of session cookies or the risk of account takeover if they are exposed. In an agent skill context, persisted cookies may be readable by other tools, logs, or users, making this especially dangerous because they can grant direct authenticated access without credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents bulk collection and saving of note content, comments, author identifiers, and interaction data without any privacy, consent, retention, or access-control guidance. In a scraping skill designed to intercept authenticated responses, this materially raises the risk of over-collection, improper storage, downstream leakage, and misuse of personal data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The post-analysis push workflow can transmit analysis summaries and document paths to third-party channels without an explicit privacy warning in the feature itself. Generated reports may contain sensitive business intelligence, profiling content, or filesystem information that users do not expect to leave the local environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The module writes collected blogger and archetype data to local JSON files without any built-in disclosure, consent flow, or visibility to the end user. Silent persistence of analysis data is dangerous because users may reasonably assume the skill is transient, especially given the privacy-clean branding, leading to undisclosed retention of potentially sensitive profile-linked information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code deliberately injects authentication cookies into a browser session and installs JavaScript/CDP hooks to intercept and cache API responses from xiaohongshu endpoints. In the context of a scraping/analysis skill, that behavior enables harvesting authenticated data from a live user session without any built-in consent flow, scope limitation, or safeguards around sensitive response capture, creating clear privacy, account misuse, and potential terms/circumvention risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`post_comment()` executes a visible user-facing action immediately after navigation, with no built-in confirmation, dry-run mode, or approval step. In agentic or automated environments, this makes accidental or unauthorized posting much more likely, especially when authenticated cookies are already loaded into the browser session.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script saves scraped notes to a local JSON file without any notice about sensitivity, retention, access controls, or downstream handling. Persisting collected user content to disk increases the chance of unintended disclosure, reuse, or accumulation of profile data, especially in a tool explicitly designed for end-to-end analysis.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow writes structured outputs and appends creator records without clearly warning users that data will be modified and persisted. Lack of transparency around side effects is a security and safety issue because users may invoke analysis expecting read-only behavior while the skill silently creates durable records.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The workflow performs external data collection and writes note data to temporary files without any visible privacy, storage, or handling notice. In this context, even temporary outputs can expose scraped content, identifiers, or derived datasets to other processes or later reuse if file permissions and cleanup are not controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal