ClawHub

Xiaohongshu Mcp Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks users to run an external Xiaohongshu MCP service with login cookies and exposes account-changing actions that are not fully reflected in the main skill scope.

Install only if you trust the external MCP binary and are comfortable giving it access to your Xiaohongshu session. Keep the localhost endpoint private, protect or delete cookies.json after use, stop the background process when finished, and require explicit confirmation before any like, favorite, or comment action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README advertises account-affecting actions such as liking, favoriting, and commenting, while the skill metadata frames the skill as read-oriented search and browsing. This scope mismatch can mislead users or upstream agents into invoking write actions they did not expect, increasing the risk of unauthorized social actions on a real account.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented tool list includes state-changing functions like like_feed, favorite_feed, and post_comment_to_feed that are not reflected in the read-focused skill description. Hidden or under-declared write capabilities are dangerous because an agent or user may treat the integration as passive while it can perform actions on a logged-in account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README combines interactive account operations with a local cookie-backed service but does not warn that actions can affect the user's live account or that credentials/session material are stored locally. In this context, the absence of warnings increases the chance of unsafe deployment, accidental account actions, and mishandling of local session artifacts.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal