Rednote Mac
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its stated RedNote automation purpose, but it gives an agent powerful control over your Mac UI and RedNote account, and the plugin code has a parameter-to-Python execution pattern that deserves review.
Install only if you trust this skill with your RedNote session and visible Mac UI. Use a dedicated macOS account if possible, verify screenshots before sending or deleting anything, avoid exposing sensitive DMs to image analysis, and consider waiting for a version that removes dynamic python -c parameter interpolation or adds stricter runtime validation and confirmations.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the tool framework ever accepts a non-integer or crafted value for these parameters, a malicious tool call could potentially execute arbitrary Python commands as the local user.
The OpenClaw plugin builds Python source strings and executes them with python -c. Some parameters such as times, col, row, and index are interpolated directly rather than cast and range-checked in the plugin code.
execFileAsync("uv", ["run", "--directory", SKILL_DIR, "python", "-c", pyCode] ...); ... scroll_feed(${JSON.stringify(direction)}, ${times})Avoid dynamic python -c construction for tool calls. Use a fixed Python entry point with JSON or argv parameters, cast and validate all numeric inputs at runtime, and reject values outside expected ranges.
An agent with this tool enabled could send or delete RedNote content from your logged-in account if it invokes the tool incorrectly or after being influenced by bad context.
The skill exposes tools that post public comments, send private messages, and delete comments. These are central to the stated purpose, but they are high-impact account actions and the artifacts do not show a mandatory confirmation step before execution.
xhs_post_comment(text="Great post!") ... xhs_reply_to_comment(index=0, text="Thanks!") ... xhs_delete_comment(index=0) # ⚠️ irreversible ... xhs_send_dm(text="Hello!")
Use the skill only with explicit user instructions for each send/delete action. Prefer adding built-in confirmations, previews, rate limits, and screenshot verification before any DM, public comment, follow/unfollow, or deletion.
Once enabled, the automation environment can click, type, screenshot, and interact with visible UI using your local account privileges.
The artifacts correctly disclose that Terminal Accessibility is broad OS-level control, not a RedNote-only permission.
The Accessibility permission grants control over **all apps** on your Mac, not just RedNote. Only enable if you trust this skill. Consider running automation in a dedicated user account.
Run this in a dedicated macOS user account if possible, keep only RedNote visible during use, and revoke Terminal Accessibility permission when you no longer need the skill.
Installation can bring in third-party code that will run with the same local privileges as the skill.
The user-run installer fetches external dependencies with version ranges and registers the plugin by symlink. This is disclosed and purpose-aligned, but it depends on external package provenance.
brew install cliclick ... uv sync ... pip install "atomacos>=3.3.0" "pyobjc-framework-Quartz>=12.1" "pyobjc-framework-ApplicationServices>=12.1" "mcp>=1.26.0" ... ln -sf "$SKILL_DIR" "$PLUGIN_DIR"
Review the installer before running it, prefer a virtual environment or uv lockfile with pinned dependency versions, and install only from trusted package sources.
Private conversations, usernames, notifications, or profile information visible in RedNote screenshots may be sent to the agent for analysis.
The skill can capture RedNote screens, including DM conversations, and pass those images into the agent/image-analysis context. This is disclosed and useful for the purpose, but it may expose private messages to the agent provider.
xhs_screenshot() # confirm conversation opened, check who it is ... use `xhs_screenshot()` + image analysis to read the conversation.
Avoid using screenshots on sensitive conversations unless you are comfortable with the agent/provider seeing that content, and close or obscure unrelated private information before invoking screenshot tools.