ClawHub

Deepsop Xiaohongshu 助手

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Xiaohongshu upload purpose, but it automatically downloads and runs unpinned third-party automation code that can store login cookies and publish posts with limited user confirmation.

Review this skill before installing. Use it only if you trust the social-auto-upload project and the listed mirror hosts, preferably after pinning the upstream code yourself. Use a dedicated Xiaohongshu account or isolated profile, treat generated cookie files as credentials, and require a manual preview/confirmation before any upload command publishes content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to execute shell-based setup and runtime commands, including cloning a remote repository and running it locally, but it does not declare corresponding permissions. This creates a capability transparency problem: operators and users may not realize the skill can invoke shell actions and fetch external code, which increases the chance of unexpected code execution in a trusted workflow.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file instructs the agent to automatically clone and execute a third-party repository under the user's home directory before running the skill. That materially expands the skill's trust boundary from 'assist with Xiaohongshu upload/login' to arbitrary remote code retrieval and execution, creating supply-chain risk and local system modification risk if the upstream repository or delivery path is compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instructions require automatic fallback to multiple proxy and mirror hosts for source-code retrieval without additional trust checks. This broadens outbound network behavior and introduces extra untrusted supply-chain endpoints, increasing the chance of code tampering, mirror compromise, or unexpected data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that OPclaw will automatically clone the external social-auto-upload repository and prepare dependencies on first use, but it does not clearly warn users that invoking the skill causes code download and execution from an external project. This is dangerous because users may unknowingly authorize supply-chain exposure and local code execution under the agent runtime, especially since the README also presents the process as frictionless and safe.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes automatic login, account checking, and content upload through external tooling, but does not prominently warn that user-provided videos, images, text, and account session data will be transmitted to Xiaohongshu via the external SAU tool. This is risky because users may not realize their content and authentication-related data leave the local environment and are handled by a third-party upload workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that OPclaw will automatically clone SAU and prepare dependencies on first use, but it does not present this as an explicit security warning to the user. Automatically fetching and installing remote code introduces supply-chain and arbitrary code execution risk, especially because the instructions also require retrying via third-party mirror domains, widening the trust surface.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill handles login, cookie validation, and content upload for a social media account, which necessarily involves local cookies or other account state, but it does not clearly warn users about that privacy and account-security dependency. Without an explicit warning, users may unknowingly expose sensitive authentication material or misunderstand that local account data is being used to automate actions on their behalf.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The contract describes login flows that create or refresh cookie files and upload commands that can publish immediately, but it does not warn about credential persistence, local storage sensitivity, or the risk of accidental public posting. In a skill that automates social-media publishing, omission of these safety constraints can lead users or downstream agents to handle secrets insecurely or trigger unintended publication.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup flow clones a repository directly into a fixed path under the user's home directory and presents this as an automatic prerequisite. Even if the path is documented, the agent is instructed to proceed without a clear opt-in warning about local file creation and persistent modification, which can surprise users and bypass expected consent boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The runtime flow downloads Python dependencies and browser binaries from the network and installs them locally, but does not foreground the privacy, bandwidth, storage, and execution implications to the user. Because these components may execute code or automate browsers, the lack of explicit warning and consent increases operational and privacy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs login, account checking, and content publication in sequence with no interactive confirmation, dry-run mode, or explicit warning before executing the upload actions. In the context of an agent skill that may be triggered on a user's behalf, this creates a real risk of unintended posting to a live social-media account if the script is run with real credentials and media.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script performs headless login, account verification, and content uploads to Xiaohongshu without any interactive confirmation, warning, or disclosure to the user at execution time. In an agent skill context, that makes it easier to trigger real external account actions silently, which can lead to unintended posting, account misuse, or credential/session abuse if invoked without clear user awareness.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal