ClawHub

xhs-search-skill

Security checks across malware telemetry and agentic risk

Overview

This Xiaohongshu research skill mostly matches its stated purpose, but it logs the AgentBay API key in plaintext and under-discloses some persistent storage and session behavior.

Review carefully before installing. Do not use this version with a sensitive AgentBay key or personal Xiaohongshu account unless the API-key logging is removed. Expect login cookies to persist in the AgentBay browser context, extracted notes/comments to be saved locally, and logs to remain on disk until cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to install dependencies, read and write local files, access environment variables, and make networked browser/API calls, yet it declares no explicit permissions or user-facing capability boundaries. This creates a real security gap because the agent may perform sensitive operations without clear authorization, reducing transparency and making misuse or overreach harder to detect.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code logs `api_key` directly via `_log.info(f"session_id: {session_id}, api_key:{api_key}")`, which writes a sensitive credential to persistent log files and likely console output. Anyone with access to logs can reuse the AgentBay credential to create sessions or access associated resources, which is unrelated to the keyword-research function and materially increases compromise risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions are broad natural-language phrases such as '搜/查/看热点/找笔记/提取评论/做舆情分析', which can match many ordinary requests and invoke the skill unexpectedly. In this skill's context, accidental invocation is more dangerous because execution can lead to login-state reuse, web scraping, dependency installation, and external data collection without the user specifically intending those actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that the sandbox will retain login state across uses and performs note/comment extraction, but it does not clearly warn users about privacy, account-session persistence, or the implications of collecting third-party content. This is dangerous because users may not realize their authenticated session may be reused later or that scraping comments can involve personal data and platform-policy risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
This is a true positive: the AgentBay API key is emitted to logs in plain text with no masking or user warning. Because the skill creates log files under `logs/` and also enables console logging, the secret may be exposed to local users, operators, CI systems, or log aggregation backends.

Ssd 3

High
Confidence
99% confidence
Finding
The natural-language status log includes the full API key, creating plain-text credential disclosure in routine operational logging. Since this skill handles browser automation and persistent sessions, leaked credentials could allow unauthorized use of the AgentBay account and downstream access to browser contexts or billing-consuming actions.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 安装:
#   pip install -r requirements.txt
#
playwright
pydantic>=2.0
wuying-agentbay-sdk
Confidence
91% confidence
Finding
playwright

Unpinned Dependencies

Low
Category
Supply Chain
Content
#
playwright
pydantic>=2.0
wuying-agentbay-sdk
Confidence
93% confidence
Finding
wuying-agentbay-sdk

Unpinned Dependencies

Low
Category
Supply Chain
Content
#   pip install -r requirements.txt
#
playwright
pydantic>=2.0
wuying-agentbay-sdk
Confidence
95% confidence
Finding
pydantic>=2.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal