小红书 Mac Controller
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Rednote-control purpose, but it can post, message, follow, and delete through your account, and one plugin path builds executable Python from tool inputs.
Install only if you trust the source and are comfortable letting an agent operate your logged-in Rednote app. Prefer a test account, require manual review before comments/DMs/deletes/follows, and disable the plugin or revoke Terminal Accessibility when finished. The maintainer should fix the dynamic Python argument handling and hardcoded path before broad use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted tool call or prompt-influenced argument could potentially make the skill run code on the Mac outside the intended Rednote controls.
The OpenClaw plugin constructs Python source strings from tool arguments and executes them with `python -c`. Some numeric parameters such as `times`, `col`, `row`, and `index` are interpolated without local runtime coercion, so a validation bypass could become arbitrary Python execution.
execFileAsync("uv", ["run", "--directory", SKILL_DIR, "python", "-c", pyCode] ...); ... scroll_feed(${JSON.stringify(direction)}, ${times})Avoid building Python source strings from tool input. Pass arguments as JSON or command-line parameters, coerce and validate numbers in TypeScript before use, and keep the Python entry points fixed.
If enabled, an agent could post comments, reply, send DMs, follow authors, or delete comments under the user's Rednote account, causing reputational or account harm.
The skill exposes tools that mutate a social account, send private messages, and delete comments, but the artifacts do not show an enforced confirmation or approval gate for those actions.
xhs_post_comment 发评论 ... xhs_reply_to_comment 回复评论(index,text) ... xhs_delete_comment 删评论(index) ⚠️不可逆 ... xhs_send_dm 发私信(text)
Separate read-only and write tools, require explicit confirmation for DMs/posts/follows/deletes, add a `confirm=true` or dry-run workflow, and avoid enabling write tools for broad autonomous use.
The agent operates the visible Rednote app with the user's account privileges and broad macOS UI-control permission.
The skill intentionally uses Terminal Accessibility permission and the logged-in Rednote app session. This is disclosed and purpose-aligned, but it means actions occur as the user.
Terminal 已获得辅助功能权限 ... 使用时 rednote App 必须在屏幕上可见 ... 回复/删除评论 | 需要登录态 + App 交互
Use only with an account you are comfortable automating, keep the app visible only when intended, monitor actions, and revoke Terminal Accessibility or OpenClaw tool access when not in use.
The skill may fail on other Macs or, if that path exists, run code from a location different from the installed extension the user reviewed.
The plugin executes Python from a hardcoded developer-specific path rather than deriving the installed skill directory, creating path/provenance confusion and possible execution of an unintended local copy.
const SKILL_DIR = "/Users/huangrunhui/.agents/skills/xhs-mac-mcp"; ... ["run", "--directory", SKILL_DIR, "python", "-c", pyCode]
Derive the skill directory dynamically from the plugin file location, remove developer-specific absolute paths, and document required binaries/dependencies in metadata.