ClawHub

Xiaohongshu Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Xiaohongshu automation skill, but it can use a saved account session to post, comment, like, collect, and evade platform automation checks.

Review carefully before installing. Use only with an account you are willing to risk, protect ~/.xiaohongshu like credential storage, do not share QR codes or cookie files, and require explicit manual approval before any publish, comment, reply, like, collect, or SOP engagement action. Expect possible platform terms or account-enforcement risk because the skill includes anti-detection and login-gate bypass behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs the agent to install dependencies, run Python scripts, access browser/network resources, and write runtime data such as QR codes and debug output, yet it declares no explicit permissions. This creates a trust and sandboxing gap: a host may expose the skill to users or agents as low-privilege while it actually performs filesystem and network-capable automation against a logged-in social media account.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client deliberately injects anti-detection and fingerprint-masking JavaScript, suppresses browser automation indicators, and loads an external stealth.js override from the user's home directory before every page. In a content-management skill, this materially increases the capability to evade platform bot detection and conceal automated access, which can facilitate unauthorized scraping, abusive automation, or bypass of service protections.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The logout function removes `strategy.json` even though its stated purpose is only to clear login state. This couples credential/session cleanup with deletion of unrelated user configuration, which can cause unintended data loss and lets any caller of logout wipe operational settings without explicit user consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring says the function resets login state, but the implementation also deletes a strategy file. This mismatch is security-relevant because callers may invoke logout expecting a narrow, safe action while actually triggering broader destructive behavior against user data/configuration.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code intentionally bypasses Xiaohongshu's login/access control by deleting the login modal and overlay DOM, explicitly to avoid redirect behavior and keep loading search results. Even though this is implemented in browser automation rather than by breaking server-side auth, it is still a deliberate circumvention of a platform gate and can enable unauthorized scraping or policy evasion using the user's session context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README prominently advertises automated interaction features such as commenting, liking, collecting, and auto-publishing without placing a clear warning near those capabilities about account suspension, spam/abuse risk, and possible privacy or platform-integrity consequences. In the context of a social-platform automation skill, this omission can normalize high-risk behavior and make misuse more likely, especially by agent users who may execute actions at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The login instructions state that cookies are automatically saved after QR-code login, but do not warn that these cookies are persistent session secrets that can grant account access if copied, leaked, or stored insecurely. For an agent skill that uses browser automation and local state, failing to highlight session-data sensitivity increases the chance of credential mishandling.

Vague Triggers

High
Confidence
95% confidence
Finding
The description contains many broad natural-language trigger phrases such as references to xiaohongshu/rednote and common conversational requests, making accidental invocation likely during ordinary chat. Because this skill can perform authenticated actions like posting, commenting, liking, and collecting, overbroad auto-triggering materially increases the chance of unintended account actions or sensitive browsing under user credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes commands that immediately publish content, including auto-publish and scheduled publishing, without any warning that they cause real account actions. In an agent-skill context, this is dangerous because an LLM-driven agent may invoke these commands directly from user intent or ambiguous prompts, leading to unintended posts, reputational harm, or policy violations on the linked account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The docs include comment, reply, like, and collect commands that perform real engagement actions on behalf of a logged-in account, but they do not warn that these mutate account state or may trigger platform limits. In an agent-integrated skill, such silent side effects increase the risk of unauthorized interactions, spammy behavior, and account enforcement if an agent executes them automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that login cookies are automatically saved under ~/.xiaohongshu/ for reuse, but it does not warn users that these cookies are sensitive session credentials. If those files are exposed through weak local permissions, backups, shared machines, or accidental publication, an attacker may be able to reuse the session and access the user's account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The functions perform live comment and reply submission using the authenticated user's account with no explicit confirmation gate, dry-run mode, or in-function disclosure that a real external action will occur. In an agent context, this creates a meaningful risk of unintended posting, prompt-influenced misuse, or accidental reputation/account harm because merely calling the function causes an irreversible side effect on a third-party platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The notification-based reply flow can send a real reply from the user's logged-in account by selecting a notification index and immediately submitting content, again without explicit disclosure or confirmation. This is slightly more dangerous in agent use because the target is chosen indirectly from a dynamic notification list, increasing the chance of replying to the wrong person or context while still producing a public external side effect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`logout()` irreversibly deletes browser persistence data and cookie files without any confirmation, dry-run, or warning. In an agent skill context, tools may be invoked indirectly or automatically, so a destructive action with no guardrails increases the chance of accidental session loss and user disruption.

Ssd 4

Medium
Confidence
97% confidence
Finding
The skill documents anti-detection measures such as randomized delays, 'simulate human browsing behavior,' frequency throttling, retry logic, captcha handling, and quota-managed engagement SOPs. In context, these are not ordinary reliability features; they are designed to evade platform anti-abuse controls while scaling automated interactions on a logged-in account, which increases abuse potential and risk of account compromise or enforcement.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal