ClawHub

Xhs Auto Publisher

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Xiaohongshu publishing helper, but it uses persistent account sessions, recurring automation, and anti-detection browser settings that need careful review.

Install only if you are comfortable with a local tool storing your Xiaohongshu login session, opening an authenticated browser, preparing posts, and scheduling recurring runs. Keep the .auth directory private and out of git or sync folders, delete saved cookies/profile data when finished, review every post before publishing, and consider removing clipboard permissions and anti-detection settings before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
Although the workflow claims the final publish click is manual, it explicitly instructs use of anti-detection measures such as hiding automation flags, using a real UA to evade platform controls, persisting profiles/cookies, and suppressing permission prompts. That combination is dangerous because it facilitates stealthy circumvention of platform safeguards and reduces user visibility into automated actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documented browser automation goes beyond assisted posting and includes anti-detection behavior specifically aimed at making automated activity appear human. In the context of a social-platform publishing tool, this materially increases abuse potential for spam, sockpuppet scaling, and enforcement evasion.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script explicitly grants clipboard-read and clipboard-write permissions to both Xiaohongshu domains even though its stated workflow only requires login, image upload, and text entry. Unnecessary clipboard access expands the browser automation's ability to read sensitive user data copied elsewhere or overwrite clipboard contents, which is especially risky in a tool designed to persist authenticated sessions and run with a real browser profile.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README states the skill can auto-trigger in any conversation from broad, generic phrases, which increases the chance of unintended activation. In a skill that can set up browser automation, persistent login state, and scheduled publishing, accidental triggering could lead users into authorizing automation or exposing account context without clearly intending to do so.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description mentions persistent browser profile storage and automated publishing flow, but does not present a clear, prominent warning about the security and privacy implications of storing cookies/login state and automating actions in a browser. Users may not understand that local profile data could enable account access if mishandled, or that automated browser behavior tied to a social media account can create account, privacy, and misuse risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script saves authenticated session cookies to a local JSON file under the workspace without any explicit warning, consent flow, or protection of that file. Anyone with access to the workspace, backups, or logs could reuse those cookies to impersonate the user on Xiaohongshu until the session expires or is revoked.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script launches Chromium with a persistent userDataDir, causing login state, cookies, and other browsing artifacts to be retained across runs without an explicit warning to the user. In the context of an auto-publishing skill for a real social-media account, this materially increases account-takeover risk if the workspace or host is shared, compromised, or later reused by another process.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal