ClawHub

龙虾内容工厂

Security checks across malware telemetry and agentic risk

Overview

This skill is for Xiaohongshu content creation, but it asks users to automate a logged-in browser session and contains mismatches and hard-coded paths that need review before installation.

Review this skill before installing. Use a dedicated Chrome profile or account, bind remote debugging only to localhost, inspect or fix the hard-coded external paths, and do not enable the cron job unless you are comfortable with recurring browser-assisted draft preparation. Always review the generated post before clicking publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of file reads/writes and shell execution (Python, pip, npm, ffmpeg, cron, Playwright) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or user may approve the skill without realizing it can modify local files, invoke system tools, and automate a browser session tied to a logged-in account.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior materially differs from the declared purpose: it relies on Playwright/CDP access to a live logged-in browser, writes local queue/manifest data, and does not actually perform fully automatic publishing despite claiming scheduled auto-posting. This mismatch is dangerous because users may grant trust based on a simpler content-generation description while the skill actually performs more sensitive browser automation against an authenticated session.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation is internally inconsistent: one section presents a scheduled publishing workflow, while another says the script will not click the final publish button and requires manual confirmation. This can mislead operators into deploying unattended automation around a logged-in account, increasing the chance of accidental posting, brittle automation, or unsafe workarounds to force full automation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description claims timed automatic publishing, but the documented implementation only connects to Chrome, uploads content, and fills fields before requiring a human to submit. This deceptive or inaccurate representation undermines informed consent and can cause users to expose an authenticated session to automation under false assumptions about what the skill will do.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to run Chrome with a remote debugging port and stay logged into Xiaohongshu, but it does not adequately warn about the privacy, account-security, and local attack-surface implications of exposing an authenticated browser to CDP automation. In this context, the risk is elevated because browser automation can act with the user's session privileges and may enable unintended access or account actions if the environment is not tightly controlled.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal