Back to skill
Skillv1.0.0
VirusTotal security
小红书发布 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:59 AM
- Hash
- 4bdaec179c13e58c9f38130b6b62ef04f90d87f912f175bd2d2836a8e95f100d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dragon-xiaohongshu Version: 1.0.0 The skill requires the user to manually download and execute an external, pre-compiled Windows executable (`xiaohongshu-mcp-windows-amd64.exe`) as a prerequisite, as explicitly stated in `SKILL.md` and `references/config.md`. The core script (`scripts/publish.js`) then communicates with this executable via `http://localhost:18060/mcp`. While the `publish.js` script itself does not exhibit malicious behavior (e.g., data exfiltration, persistence, unauthorized network calls beyond localhost), the reliance on an unverified external binary introduces a significant trust and security risk, as the security posture of the entire skill is dependent on the integrity and behavior of this third-party executable.
- External report
- View on VirusTotal