ClawHub

xhs-copywriter(小红书内容生成)

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its copywriting purpose, but it sends user keywords to an undisclosed third-party service using deliberately weakened HTTPS protections.

Review before installing. Use it only if you are comfortable with topic keywords being sent to an undisclosed third-party API over insecurely verified HTTPS. Do not paste private diary text, confidential campaign plans, unreleased product details, or proprietary brand strategy as prompts or style samples, and verify generated content before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill advertises automatic fetching of trending notes and hot-topic data, which implies network access, but no corresponding permissions or user-facing disclosure are declared. Undeclared network capability is dangerous because it can cause unexpected outbound requests, expose user prompts or usage metadata to third parties, and bypass informed consent expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a strong description-behavior mismatch: the skill is presented as a content-generation and analysis tool, but the implementation reportedly depends on an undisclosed third-party service and does not actually perform the promised generation or decomposition workflow. Such misrepresentation is dangerous because users may unknowingly send queries to an external service they were never told about, and the mismatch prevents them from making an informed trust decision.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The workflow mandates use of `web_search` to gather latest news and hot topics, which expands the skill beyond its declared purpose of trend analysis and copywriting based on fetched platform notes. This broader capability can pull in unvetted external content, increase data provenance risk, and cause the agent to act outside the user’s expected scope.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The instructions first prohibit showing raw trending data to users, but the required final output later includes detailed reference notes, links, author identities, and interaction metrics. This contradiction can lead to leakage of scraped or internally retrieved data that the workflow itself said should remain hidden, creating compliance and data-sharing risks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code deliberately disables certificate validation and hostname checks (`CERT_NONE`, `check_hostname=False`) while also suppressing SNI to reach a third-party HTTPS endpoint. This removes core TLS authenticity protections and makes the request vulnerable to man-in-the-middle interception or redirection, especially on hostile or monitored networks. In the context of a copywriting/trend-analysis skill, this bypass is not necessary for legitimate functionality and increases concern because it is explicitly designed to evade normal server-side controls.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level documentation frames the script as a normal 'final' hot-data query tool, but the implementation intentionally bypasses SNI-based controls and disables TLS verification. This mismatch is dangerous because it conceals risky network behavior from reviewers and operators, reducing the chance that insecure transport decisions will be noticed, challenged, or disclosed to users.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to match ordinary writing requests, which can cause the skill to activate in situations where a user did not intend to invoke external data collection or specialized behavior. In context, this increases the chance of surprise network access and unintended routing of generic prompts into a tool with hidden external dependencies.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The command examples use natural everyday phrasing like generic writing help, making accidental invocation likely. Because the skill context includes automatic data fetching and hidden third-party reliance, ambiguous commands are more dangerous than they would be for a purely local, read-only skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description says the tool will automatically fetch real-time lists and hot-topic information, but it does not warn users that this requires outbound network access to external sources. Missing disclosure is risky because users may provide sensitive business topics, campaign plans, or writing drafts without realizing those prompts could be transmitted off-platform.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill requires asking users to upload personal writing samples to mimic their style, but provides no privacy warning, minimization guidance, or consent framing. Users may share diaries or other sensitive text without understanding the retention, processing, or downstream exposure implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user-provided keywords to a remote third-party service without clearly disclosing that transmission to the user, and it does so over a weakened TLS channel created elsewhere in the module. This can expose potentially sensitive business, marketing, or campaign research terms to interception or to an undisclosed external operator, which is more concerning because the skill's purpose does not signal such insecure exfiltration behavior.

Ssd 3

Medium
Confidence
93% confidence
Finding
Soliciting personal notes, diaries, or essays for style analysis causes unnecessary collection and processing of potentially sensitive user text. Because the feature is framed as something the user is encouraged to provide before content generation, it increases privacy risk without strong necessity for the core function.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal