Skillv1.0.2

ClawScan security

xhs-weekly-ranking（小红书七日热榜） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 12:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (fetch and analyze Xiaohongshu weekly rankings) but contains multiple incoherent or unusual elements — notably an unknown third‑party endpoint, deliberate TLS/SNI bypass, and required output/subscription behaviors that aren't supported by the code — so exercise caution and verify the data source before using.
Guidance: What to consider before installing or running this skill: - Verify the data source: the scripts contact onetotenvip.com rather than an official Xiaohongshu API. Ask the author for the service's identity, privacy policy, and why this domain is used. Check the domain reputation and ownership before trusting output. - TLS concerns: the code disables certificate verification and avoids sending SNI. That weakens transport security and can expose you to interception or malicious servers. Do not run this code on sensitive machines or networks until TLS behavior is fixed (enable proper cert checks and send SNI). - Subscription promise mismatch: the SKILL.md mandates daily push/subscription behavior but the provided code has no implementation for scheduling or delivering pushes (no credentials or webhook). Clarify how subscriptions are implemented and what credentials/storage are required; never provide messaging/webhook credentials without a clear, auditable plan. - File generation and retries: the skill will generate HTML files and forces repeated retries until all fields load. Running it could produce many files or repeat network calls. Run in a sandboxed environment and inspect generated files before sharing them. - Practical steps: 1) Ask the maintainer for the official data source, domain ownership, and why TLS verification is disabled. Require fixes to enable standard TLS verification. 2) Request a homepage or repository and a changelog; avoid installing unsigned/unknown source code without review. 3) If you must test, run the scripts in an isolated VM or container with restricted network access and monitor outbound requests. 4) Prefer a version that uses standard HTTPS libraries (requests/urllib) with certificate validation and documents the data source. Because of the domain/TLS anomalies and the mismatch between 'subscription' behavior in the docs and the code, treat this skill as suspicious until the author clarifies and corrects these issues.
Findings: [external_host_onetotenvip] unexpected: Both Python scripts make HTTPS requests to a third‑party domain (onetotenvip.com). For a tool that claims to fetch Xiaohongshu data this is unexpected: we'd expect calls to an official API or a well‑known aggregator. This is plausible (a scraper/aggregator) but the domain and service should be verified before trusting or running. [ssl_verify_disabled] unexpected: The code disables certificate verification (context.verify_mode = ssl.CERT_NONE and check_hostname = False). Disabling TLS verification removes standard TLS protections and is unusual for a benign data fetcher; it increases risk of man‑in‑the‑middle or connecting to untrusted servers. [no_sni_wrap_socket] unexpected: The code wraps the socket with SSL but intentionally does not pass server_hostname to wrap_socket (explicitly avoiding sending SNI). Not sending SNI is atypical for standard HTTPS clients and is often used to evade simple inspection or to connect to servers with nonstandard TLS setups. This behavior is suspicious in context.

Review Dimensions

Purpose & Capability: noteThe name/description (fetching Xiaohongshu seven‑day hot notes and producing HTML + analyses) matches the scripts and SKILL.md: both scripts call an API, sort results, generate analysis and an HTML output. However the API host used (onetotenvip.com) is not Xiaohongshu's official domain and no homepage or source is provided. Using an unverified third‑party aggregator to claim 'no account / no API key required' is plausible but should be validated; otherwise the data source mismatch is suspicious.
Instruction Scope: concernSKILL.md imposes strict, mandatory runtime behaviors (must read references/core_workflow.md, must output full live table, must generate and output an actual HTML file package, must immediately present subscription option and daily push behavior). The scripts fetch and generate HTML, but there is no code implementing scheduled daily pushes or subscription delivery. The instructions force the agent to produce specific outputs (including producing a file and immediate subscription UI) and to retry until all fields load — this gives the agent broad operational obligations beyond what the code actually implements and could push the agent to repeatedly contact the external endpoint or to generate data/exfiltrate more output than the user expects.
Install Mechanism: noteNo install spec (instruction-only install) — lower installer risk. But the included Python scripts perform raw socket+SSL connections to an external host, create files (HTML) in the skill directory, and expect the runtime to execute them. There is no dependency list or sandbox guidance; running these scripts will contact an external server and write files to disk.
Credentials: concernThe skill requests no environment variables or credentials, which is consistent with its claim of 'no API key needed'. However the SKILL.md promises subscription/push functionality (daily 19:30 pushes) yet provides no mechanism or credential requirements for delivering pushes (no webhook URLs, no messaging service credentials, no scheduler). That mismatch — claiming persistent push capability without declaring any credential/configuration — is incoherent and could hide additional steps or require elevated privileges later.
Persistence & Privilege: okThe skill does not request 'always: true' and does not declare persistent installation or cross-skill config changes. Scripts write an HTML file in the skill directory when executed; apart from that the skill does not request elevated platform privileges. Autonomous invocation is allowed (default) but is not combined with other high‑risk flags.