ClawHub
Back to skill
v1.0.0

xiaohongshu-comment

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:44 AM.

Analysis

This skill is transparent about commenting on Xiaohongshu, but it can automatically publish AI-generated comments from the user's logged-in Chrome account without an explicit final approval step.

GuidanceReview carefully before installing. If you use it, require the agent to show you the exact comment and wait for your approval before sending, use a dedicated browser profile if possible, and avoid repeated automated comments.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
**执行流程:** ... 4. 生成评论:"这内容太真实了,笑死我了 🤣" 5. 自动输入并发送

The workflow instructs the agent to generate a comment and then automatically submit it, rather than requiring explicit review of the exact text before publishing.

User impactA generated comment could be publicly posted from the user's Xiaohongshu account, potentially causing embarrassment, spam-like behavior, or platform-policy issues.
RecommendationRequire an explicit final user confirmation for the exact comment text before clicking Send, and keep actions limited to one user-provided link at a time.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
`profile: "chrome"` — 使用用户现有的 Chrome 浏览器 ... **登录状态**:用户需已在浏览器登录小红书账号

The skill relies on the user's existing Chrome profile and logged-in Xiaohongshu session to act on the user's account.

User impactThe agent would operate in an authenticated browser context and can post as the logged-in user.
RecommendationInstall only if you are comfortable letting the agent use your logged-in Xiaohongshu session; prefer a dedicated browser profile and review each post before submission.