Skillv1.0.0

ClawScan security

xhs-breaking-rankings（小红书冷门爆款探测器） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 12:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (fetch Xiaohongshu low‑follower viral posts) is plausible, but the package contains mismatches and evasive network code plus runtime instructions that force verbatim output of a packaged report — these behaviors are unexpected and warrant caution.
Guidance: What to consider before installing: - Network endpoint: The fetch script calls https://onetotenvip.com/... — this is an unknown third‑party host (not obviously Xiaohongshu). Verify the trustworthiness of that endpoint before allowing the skill to make outbound requests. - TLS evasion: The script intentionally disables TLS certificate verification and sets server_hostname=None to avoid SNI. This is unusual for a benign data-aggregation tool and could be used to bypass network protections or connect to impostor servers. Ask the author why this was done; prefer a version that uses standard HTTPS (e.g., requests) with proper cert validation. - Forced packaged output: The runtime instructions require the agent to read and output a bundled Markdown file verbatim (and not alter it). That means you may get a pre-generated/static report rather than fresh live data. If you expect real-time queries, confirm the skill actually calls the API and returns live results rather than always returning the packaged md/html. - Dependency mismatch: SKILL.md declares requests but the fetch script uses raw sockets. This inconsistency could be an oversight or a deliberate attempt to avoid obvious HTTP libraries — ask for clarification or an updated implementation. - Local file writes: The skill writes ./xhs_breaking_rankings.md and ./xhs_breaking_rankings.html. If you run this in a shared environment, be aware of file creation/overwriting. Recommended actions: 1. Do not enable unattended/autonomous use of this skill until the above concerns are addressed. 2. Request the author provide: (a) the rationale for disabling TLS validation/SNI and switch to a proper HTTPS client, (b) confirmation that live queries are performed (or remove the forced 'output packaged md' rule), and (c) documentation for the onetotenvip.com service and its data provenance. 3. If you must test it, run the scripts in an isolated sandbox and monitor network traffic to verify where data is being sent and what responses are returned. 4. Prefer a version that uses requests/https with certificate validation and that only outputs dynamic results after a successful fetch, or obtain the data source directly from a well-known/reputable provider.

Review Dimensions

Purpose & Capability: noteThe skill claims to fetch Xiaohongshu 'low-follower' viral posts and includes scripts that call an external API to return such data, which is coherent in purpose. However there are mismatches: SKILL.md lists 'requests' as a dependency but the fetch script implements HTTP over raw sockets/SSL instead of using requests. The API host used (onetotenvip.com) is not obviously related to Xiaohongshu; contacting an external aggregator is reasonable but the choice of host and how it's contacted is not justified by the description.
Instruction Scope: concernSKILL.md and core_workflow.md explicitly require reading and then outputting the packaged Markdown file (./xhs_breaking_rankings.md) verbatim and forbids modifying/omitting parts. That forces the agent to return the included (pre-generated) report rather than always performing a fresh query, which can produce stale or fabricated results and circumvents expected dynamic querying. The scripts do write/read local files (HTML/MD) as described — that part is expected — but the coercive 'output this packaged file exactly' rule is surprising and risky for data integrity.
Install Mechanism: okNo install spec (instruction-only) — lowest installer risk. The code files live in the skill bundle and will only run when invoked; nothing in the package fetches remote code during install.
Credentials: concernNo environment variables or credentials are requested, which is good. However the fetch script makes direct network calls to an external domain using raw sockets and deliberately disables TLS verification and SNI (see fetch_explosive_articles.py). Disabling certificate checks and not sending SNI are disproportionate to the stated data-aggregation task and are common techniques to evade network inspection or to connect to nonstandard endpoints.
Persistence & Privilege: notealways is false and the skill does not request system-wide privileges. The scripts create/overwrite local output files (./xhs_breaking_rankings.md and .html) which is expected. The package includes a subscription concept in its text but there is no explicit automated push mechanism in the code — any subscription behavior would depend on the agent, so check how subscriptions would actually be implemented before enabling.