warn
suspicious.insecure_tls_verification
- Location
- scripts/fetch_xhs_trends.py:82
- Finding
- HTTPS certificate verification is disabled.
xhs-explosive-detector(小红书爆款雷达)
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.insecure_tls_verification
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A network attacker or misconfigured proxy could impersonate the API and alter rankings, links, or report contents shown to the user.
Why it was flagged
The script deliberately disables TLS certificate verification and hostname checking when fetching the external API, so the agent cannot authenticate the server it is trusting for report data.
Skill content
context.check_hostname = False context.verify_mode = ssl.CERT_NONE ssl_sock = context.wrap_socket(sock, server_hostname=None)
Recommendation
Do not rely on this skill for important decisions until TLS verification is fixed; the maintainer should use verified HTTPS, for example requests with verify enabled or ssl.create_default_context with server_hostname set.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Search terms, dates, and potentially business-sensitive content-planning interests may be visible to the external API provider.
Why it was flagged
User-supplied keywords and dates are sent to a hardcoded third-party provider domain; this is aligned with the skill's purpose, but the provider boundary is not clearly named in the user-facing documentation.
Skill content
base_url = "https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData"
params = {"keyword": keyword, "source": "小红书爆款笔记洞察new-ClawHub"}Recommendation
Use non-confidential query terms unless you trust the provider, and ask the maintainer to document the API provider, data handling, and retention expectations.