ClawHub

RedBookSkills - 小红书发布助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Xiaohongshu automation tool, but it can publish, comment, like, bookmark, and control an authenticated browser session with limited built-in confirmation or safety boundaries.

Install only if you are comfortable giving the skill control of a logged-in Xiaohongshu browser session. Use --preview or the fill-only workflow first, prefer a test account, keep CDP bound to localhost or a trusted tunnel, avoid exposing QR/base64 login artifacts, and verify the active account and post/comment content before any live action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to use shell commands, read and write local files, access network resources, and control a browser/CDP endpoint, yet no permissions are declared. This creates a dangerous trust gap: a host system or user may authorize the skill assuming limited scope while it can publish content, interact with accounts, download remote media, and access local paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The documented behavior extends beyond the declared purpose by enabling content generation/planning and downloading remote images or videos into local temporary storage. Capability mismatch is risky because operators may approve a seemingly narrow posting tool without realizing it can ingest arbitrary URLs, create local files, and perform broader content-processing actions than advertised.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The guide advertises copywriting, tag recommendation, and content calendar features that are not reflected in the stated skill manifest. This creates scope mismatch and reduces operator trust: users or orchestrators may invoke undeclared behaviors, including AI-generated content workflows, without appropriate review, permissioning, or policy checks.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The workflow references analytics reporting on note data, but that capability is not declared in the manifest description. Undeclared data collection or reporting features can cause users to expose account or content metrics without understanding that the skill processes post-publication data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages remote CDP connections and export of login QR codes/Base64 for remote frontend display, but does not clearly warn that CDP access effectively grants powerful control over the authenticated browser session. If the remote debugging endpoint or QR/login artifacts are exposed to untrusted networks or clients, an attacker could hijack sessions, inspect cookies, automate actions as the user, or capture authentication material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code performs comment posting and reply submission immediately once CLI arguments are supplied, causing irreversible user-visible actions on a third-party platform without any secondary confirmation, dry-run mode, or clear warning at the point of execution. In an agent/skill context, this raises the risk of accidental or policy-violating spam, unwanted impersonation of the logged-in account, and abuse if an upstream prompt or tool invocation is manipulated.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The like/bookmark toggles change engagement state on Xiaohongshu as soon as the command runs, without explicit confirmation or pre-action disclosure. While lower impact than commenting, these are still authenticated write actions that can be triggered unintentionally by an agent, enabling stealthy engagement manipulation or accidental interactions under the user's account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This is a real safety/security issue: the pipeline defaults to executing the final publish action unless --preview is supplied, and it does so without an interactive confirmation step. In an automation skill whose purpose is to post content to a live social platform, this increases the chance of unintended publication from bad input, operator error, compromised upstream data, or misuse by another tool in the chain.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The publishing command performs a real post with title, content, and images, but the guide does not clearly warn that running it will publish content to a live Xiaohongshu account. In an agent or automation context, this missing disclosure increases the risk of accidental posting, reputational harm, and unintended use of account privileges.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document provides a ready-to-run publish command that can post text and images to a public XHS account, but it does not warn the user that this action is externally visible, potentially irreversible, and tied to the currently logged-in account. In the context of an automation skill for social media operations, omission of confirmation, audience/visibility checks, or dry-run guidance increases the risk of accidental public posting, brand damage, or disclosure of sensitive media.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented workflow includes a direct publishing step to Xiaohongshu using `cdp_publish.py` against what appears to be a real logged-in session, but it does not warn the user that this action can post to a live account and permanently affect account state. In an agent skill context, that omission is risky because users may treat the workflow as a safe demo or dry run and unintentionally publish content, causing reputational damage, spam, or policy violations.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal