ClawHub

Xhs Mcp Service

Security checks across malware telemetry and agentic risk

Overview

This is a real Xiaohongshu automation skill, but it exposes live account actions too broadly and without enough safety controls.

Review before installing. Run it only on a machine and network you control, bind the service to localhost instead of 0.0.0.0, protect data/cookies.json like a password, and add your own explicit confirmation step before posting, commenting, liking, favoriting, deleting cookies, or running any example/test script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (35)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation instructs the agent/user to run shell commands like cd, npm install, npm run login, and npm start on the local machine. This exceeds normal MCP tool invocation and can lead to arbitrary local code execution, dependency installation, and browser-based credential handling outside the governed MCP interface.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly tells the operator to create and run a standalone Node.js script that imports local project code to publish content. That bypasses the declared MCP interface, expands the execution surface to arbitrary local JavaScript, and enables unreviewed code paths with access to cookies, files, and network operations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The server defaults to HOST='0.0.0.0', which exposes an MCP service that can check login state, read data, post comments, like/favorite content, publish posts, and delete cookies to any reachable network client. In the context of a local helper for operating a user's XHS account, this materially expands the attack surface from local-only to remote network access and can enable unauthorized account actions if the port is reachable.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The server binds to 0.0.0.0 by default, making the MCP endpoint reachable from other hosts instead of only the local machine. Because this service exposes authenticated account actions such as posting, commenting, liking, favoriting, and deleting cookies, unintended network exposure can allow remote parties on the same network or via port forwarding to drive the user's XHS account.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The error handler returns error.message and error.stack directly to HTTP clients, leaking internal implementation details. Stack traces can reveal filesystem paths, library versions, code structure, and operational behavior that make further attacks easier and may expose sensitive runtime information from underlying tool failures.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly demonstrates account-affecting actions such as liking content and publishing posts, but it does not clearly warn that these operations change the user's real XHS account state and may trigger platform moderation, accidental posting, or unintended engagement. In an MCP skill context, these examples are especially risky because an AI assistant may translate natural-language requests into real actions, making accidental misuse more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises persistent cookie storage and login-state retention without warning that cookies are sensitive authentication material and may enable account takeover if stored insecurely or shared. This is more dangerous in a local automation/MCP server because the documented file-based cookie persistence encourages long-lived credentials on disk that could be exposed through weak filesystem permissions, backups, or accidental commits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README actively encourages automated account actions such as likes, comments, and publishing, but does not clearly warn users about platform policy violations, account suspension risk, reputational harm, or unintended content/posting consequences. In the context of a social-media automation skill, omission of these warnings materially increases the chance that users will trigger high-impact actions without informed consent or adequate safeguards.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README mentions login state management and cookie persistence as features, but does not clearly warn that authentication material is stored locally and may remain on disk in a reusable form. For a tool that automates a real social-media account, undocumented local persistence of session state increases the risk of credential/session theft, accidental sharing, or misuse on shared machines.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger condition covers nearly any mention of 小红书/XHS-related topics, including ordinary conversation. Over-broad activation increases the chance that the skill is invoked in contexts where the user did not intend account-affecting operations, causing unintended access to local services or downstream actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents state-changing actions such as liking, favoriting, commenting, publishing, and deleting cookies without requiring explicit consent or a risk acknowledgment. In this context, those actions directly affect a real social-media account and could cause reputational damage, account issues, or loss of session state if triggered mistakenly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes tools that can like, favorite, comment, reply, and publish content on a real Xiaohongshu account, but it does not clearly warn that these are state-changing actions on a live user account. In an agent skill context, omission of that warning increases the risk of accidental execution, unauthorized engagement, spammy behavior, or unwanted publication when an AI or user assumes the tools are read-only.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file states that authenticated cookies are automatically saved to `data/cookies.json` but gives no warning that this file contains reusable session credentials. Storing session cookies on disk without clear guidance on file protection, access control, and rotation creates account-takeover risk if the host, repository, backups, or logs are exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This example script performs state-changing actions on a real external account (like, favorite, unlike, unfavorite) immediately after selecting a search result, with no user confirmation, dry-run mode, or safety interstitial. In the context of an MCP skill that can be triggered for Xiaohongshu operations, this increases the risk of unintended account activity, accidental engagement, and abuse if invoked by mistake or by a prompt that the agent interprets too broadly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The delete_cookies tool performs a destructive session-reset action with no confirmation, warning, or friction. If invoked accidentally or by an unauthorized client connected to the exposed MCP service, it can log the user out and disrupt account access or automation state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The publishing tools can perform real external account actions on XHS, including posting text, images, and video, without any built-in user confirmation or warning. In combination with the network-exposed service, misuse could lead to unauthorized or accidental publication, reputational harm, spam, or policy violations on the user's account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `/message` endpoint logs `req.body` verbatim, which can capture sensitive MCP payloads, authentication material, prompts, cookies, tokens, or user content sent through the local service. In this skill's context, the server exposes account-management and publishing capabilities for XiaoHongShu, so request bodies are likely to contain private operational data and potentially session-related information, making log leakage a real privacy and security issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The deleteCookies function performs a destructive authentication-state action immediately, with no confirmation, no dry-run, and no indication of scope. In an agent/MCP context, a user could trigger this unintentionally or through ambiguous prompting, causing logout/session loss and disruption of subsequent automated actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The postComment function directly publishes user-supplied text to a live social media account with a single call and no explicit pre-action confirmation or preview. In this skill's context, that is especially dangerous because it enables unintended public posting, spam, reputational harm, and abuse of the authenticated account through prompt injection or mistaken agent behavior.

Missing User Warnings

High
Confidence
96% confidence
Finding
The replyComment function posts a public reply on behalf of the logged-in user without an explicit warning, preview, or final confirmation. Because this skill is specifically designed to operate a real XHS account, the absence of a human-in-the-loop safeguard increases the risk of accidental harassment, spam, impersonation, or reputational damage.

Missing User Warnings

High
Confidence
98% confidence
Finding
The publishContent function uploads local files and publishes a note to the creator account without an explicit pre-publication confirmation or preview gate. In a social-media automation skill, this is highly risky because it can cause accidental public disclosure, unauthorized brand/account activity, and publication of sensitive local content selected by the agent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The publishWithVideo function uploads a local video file and publishes it with no explicit user-facing warning or final approval. This is particularly dangerous in this skill because video files may contain sensitive or proprietary content, and accidental publication to a live account can create immediate and hard-to-reverse exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The test script performs real state-changing actions against a live XHS account, including liking, favoriting, and posting a comment, without any confirmation prompt, dry-run mode, or clear safety gate. In the context of an agent skill that interfaces with a social-media platform, this is more dangerous because running a 'test' can unintentionally modify user accounts, generate unwanted public activity, and create reputation or policy-compliance issues.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The quick reference documents account-affecting operations such as deleting cookies, liking, commenting, and publishing content, but it does not clearly warn that these actions modify account state, may be irreversible, and can trigger platform-side consequences. In an agent skill context, this increases the risk that downstream users or agents treat the examples as routine safe calls and perform unintended social, account, or publication actions on a real XHS account.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The quick-start guide prominently documents account-affecting actions such as deleting cookies, liking, favoriting, commenting, replying, and publishing content, but it does not clearly warn that these operations modify account state, create public content, or may trigger platform moderation or account restrictions. In the context of an MCP skill that exposes full Xiaohongshu automation capabilities, this omission increases the risk that users or downstream agents invoke state-changing tools without informed consent or adequate safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal