ClawHub

xiaohongshu-auto-poster

Security checks across malware telemetry and agentic risk

Overview

This skill is clearly for Xiaohongshu automation, but it can publish or pin live account content with weak confirmation and setup safeguards.

Review carefully before installing. Use a test or low-risk Xiaohongshu account, generate drafts first, require explicit confirmation before any post or pin action, verify the MCP binary source before running it, and disable background/autostart when not actively using the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises a simple natural-language trigger ('发小红书:xxx 主题') that appears sufficient to initiate content generation and live posting, but it does not describe any confirmation, preview, scope restriction, or anti-trigger safeguards. In an automation skill that targets a real social-media account, broad activation language increases the risk of unintended publication from ambiguous prompts, prompt injection, or user misunderstanding.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README promotes automatic publishing to Xiaohongshu without clearly warning that actions affect a live account and may immediately publish externally visible content. In this context, missing warnings materially increases the chance of reputational damage, accidental spam, policy violations, or posting of AI-generated misinformation because users may assume the tool only drafts rather than publishes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The login/authorization instruction tells users to re-login and scan to authorize account access, but it does not explain what permissions are granted, how credentials/session tokens are handled, or the risks of granting the MCP service publishing access. Because this skill is specifically designed to act on a real social-media account, omission of privacy and account-access warnings makes unauthorized or poorly understood access more dangerous.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states it will automatically publish content to the user's Xiaohongshu account, which is an account-affecting action, but it does not present a clear warning or require an explicit confirmation step immediately before posting. In an agent setting, this raises the risk of unintended or overly broad actions on behalf of the user, especially if a prompt is ambiguous or the generated content is not reviewed first.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation examples use very broad natural-language phrases such as '发小红书:...' and '用模板 3 发小红书:...' that can easily overlap with ordinary conversation or quoted text. In an agentic environment, ambiguous triggers increase the risk of unintended skill activation, causing the system to generate or publish content when the user did not explicitly intend to invoke the posting workflow.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide instructs users to authenticate a Xiaohongshu account via QR code and implicitly grant the local MCP service access to the logged-in session, but it does not disclose what account data, cookies, or posting permissions the service will receive or retain. In a tool whose purpose is automated posting, undisclosed session access is security-relevant because it can enable account takeover, unauthorized posting, or misuse of a persistent authenticated session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal