Skillv1.0.1

ClawScan security

xhs-explosive-content-detector（小红书爆款雷达） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (fetch and rank Xiaohongshu trend data) but contains several mismatches and risky networking choices — notably a custom TLS/no‑SNI HTTP client that talks to an unrecognized external domain — that are not justified by the description.
Guidance: What to consider before installing or running this skill: - Network target: The script sends your queries to an unrecognized third‑party domain (onetotenvip.com). The README claims 'public Xiaohongshu aggregation' but does not disclose who operates that domain. If you are uncomfortable with network traffic leaving your environment to an unknown service, do not run it. - TLS behavior: The code deliberately disables TLS certificate validation and omits SNI when connecting. That means the script will not verify the server identity and is harder to observe in typical TLS logs — a technique sometimes used to evade monitoring or reach internal/filtered endpoints. This is unusual for a benign data fetcher and should be explained by the author before use. - Docs vs code mismatches: SKILL.md mentions the 'requests' library and optional env vars (XHS_API_PROXY, OUTPUT_PATH) that the script does not use. Ask the author to explain why a custom socket-based client was implemented and whether there is a 'normal' mode that respects proxies and certificate verification. - Mitigations if you want to evaluate safely: - Inspect and run the script in a sandboxed VM or isolated environment with no access to sensitive systems. - Monitor outbound network connections (DNS and HTTP) while running; verify the destination domain's reputation and ownership. Consider blocking the domain and running a modified script that uses requests with proper TLS validation to see if the aggregation endpoint is accessible elsewhere. - Request provenance: ask the publisher for the data provider's identity, why TLS verification is disabled, and for a signed/verifiable source or alternate endpoint (e.g., official API or a trusted proxy). - If you need similar functionality but want lower risk, prefer tools that use documented APIs and standard HTTP clients with normal TLS verification and proxy support. If you want, I can: (a) extract and display the exact network request parameters this script would send for a sample keyword; (b) suggest a safe replacement that uses requests + proper TLS + optional proxy handling; or (c) help formulate questions to the author to clarify the no‑SNI / no‑verify choices.
Findings: [raw_socket_no_sni_ssl] unexpected: The script implements an HTTPS GET using raw sockets and wraps with ssl.SSLContext(...); it sets server_hostname=None (no SNI) and context.verify_mode = ssl.CERT_NONE (disables certificate verification). For a tool claiming to fetch public Xiaohongshu data this is unusual and increases risk (evades typical TLS checks / monitoring). [unknown_external_api_endpoint] unexpected: The script sends queries to https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData rather than an official Xiaohongshu endpoint or a documented aggregator. Contacting an unvetted third‑party endpoint expands the attack surface and could allow data exfiltration. [docs_code_mismatch_requests_not_used] expected: SKILL.md lists 'requests' as a dependency but the script does not use requests; while not directly malicious, it is an incoherence that reduces transparency.

Review Dimensions

Purpose & Capability: noteName/description: a Xiaohongshu explosive-content detector that fetches and ranks public notes. The included Python script implements exactly that. However the script sends queries to a third‑party domain (onetotenvip.com) rather than directly to Xiaohongshu or a documented aggregator, and the SKILL.md claims usage of the 'requests' library though the script uses a custom socket-based HTTP client. These differences are unexpected and unexplained by the README.
Instruction Scope: concernSKILL.md instructs running scripts/fetch_xhs_trends.py with keywords and lists optional env vars (XHS_API_PROXY, OUTPUT_PATH). The script itself does not read those environment variables and instead makes network calls to an external API. The workflow enforces waiting/interaction rules, but nothing in the docs explains why the script implements a raw TLS socket (no SNI, certificate verification disabled). The script does not read or transmit local files or credentials, but the undocumented network target and TLS bypass expand the trust boundary.
Install Mechanism: okNo install spec; instruction-only with a Python script. No packages are pulled during installation beyond the user running pip for 'requests' per docs. The package does not automatically download or execute remote install artifacts on install time.
Credentials: noteThe skill declares no required credentials and only optional env var names in SKILL.md, but the code does not use them. There are no requested secrets or config paths. The lack of declared credentials is consistent with the script, but the SKILL.md/XHS_API_PROXY mismatch is an incoherence to note.
Persistence & Privilege: okalways is false, it is user-invocable, and there is no indication the skill modifies agent/system configuration or requests permanent presence.