ClawHub

Xiaohongshu Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Xiaohongshu automation tool, but it can reuse saved login sessions and publish to a real account without a final confirmation step.

Install only if you are comfortable letting this skill automate a logged-in Xiaohongshu account. Use a dedicated account if possible, treat %USERPROFILE%\.xiaohongshu-win as sensitive session data, avoid shared or synced machines, review publish inputs carefully, and delete the stored cookies/profile when you no longer need the tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable behavior involving environment variables and network access, but does not declare permissions. That creates a transparency and consent problem: users and hosting platforms cannot accurately assess or gate what the skill will access before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose does not fully match the observed capabilities: the skill can retrieve detailed note data/comments, persist cookies and browser profiles, migrate prior auth state, and use web APIs beyond the stated browser-only framing. This mismatch is dangerous because users may authorize or run it without understanding the extent of account access, persistence, and data collection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill stores login cookies and a persistent browser profile under the user's home directory, but the description does not clearly warn about this sensitive local persistence. If another local process, user, or backup/sync mechanism accesses those files, the account session could be exposed or reused.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The publish feature is described as a convenience capability, but the skill text does not prominently warn that it can perform real posting actions on the user's Xiaohongshu account. In context, this is more dangerous because the skill controls a real browser session and can take live account actions, increasing the risk of accidental or unauthorized posting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that cookies and a persistent browser profile are stored under the user's home directory, but it does not explicitly warn that these files contain active session material and potentially sensitive authenticated state. In a skill that automates login and posting to a social-media account, local storage of session data materially increases the risk of account takeover or privacy exposure if the host is shared, backed up insecurely, or later compromised.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cleanup command recursively deletes the entire .xiaohongshu-win directory, which includes all locally stored login/session data, but the documentation does not warn users about the scope or consequences of the deletion. While this is primarily a safety/usability issue rather than a direct exploit primitive, it can cause unexpected loss of authenticated state and local browser data, especially in an automation tool that relies on persistent sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently copies a cookies.json file containing authentication material from one profile directory to another. Even though the source and destination are both under the same user's profile, duplicating auth tokens increases exposure, creates another persistence location for sensitive data, and occurs without explicit user consent or visibility, which is risky in a browser-automation publishing tool.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Session cookies are written in plaintext to a predictable location under the user's profile directory, creating a local credential theft risk if another local process or user can read that file. Because these cookies represent authenticated browser state, compromise could allow account hijacking or unauthorized actions on the user's Xiaohongshu account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code creates and reuses a persistent browser profile directory to preserve login state, which stores sensitive authenticated browser artifacts locally without a clear warning or consent boundary. Persistent profiles can contain cookies, local storage, and other tokens, so local compromise of that directory may expose the user's account session.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function can automatically click the publish button and post content immediately after filling fields, without an explicit confirmation step from the user at the moment of publication. In an agent skill context, this is dangerous because a prompt injection, misfire, or unintended invocation could cause unauthorized public posting from the user's account, leading to reputational harm and account misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal