ClawHub

小红书MCP增强版 by Chaceclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Xiaohongshu automation skill, but it needs Review because it handles session cookies and can post, interact, scrape, and persist data with broad triggers and anti-ban guidance.

Install only if you trust the external xiaohongshu-mcp package with an active Xiaohongshu session. Prefer a test account, pin or verify the package/image, keep the MCP endpoint local, protect cookie/token files like passwords, and require explicit confirmation before any publish, comment, like, collect, account switch, batch operation, or data export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The setup skill goes beyond deployment and includes operational account capabilities such as posting, interacting, and account actions. Expanding a setup-only skill into live account operations increases the chance that a user invokes privileged social-platform actions under the wrong context, weakening separation of duties and making misuse easier.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Documenting token refresh, webhook notifications, and multi-account management inside a setup skill materially expands its authority and persistence footprint. These features enable long-lived access and broader account control than implied by the skill description, which can surprise users and increase the blast radius of accidental or unauthorized use.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This section gives operational guidance to reduce detection while scraping at scale, including concurrency throttling, timing dispersion, and daily volume controls. That goes beyond ordinary browsing documentation and meaningfully facilitates evasion of platform safeguards, which increases the risk of abusive collection and terms-of-service violations.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The explicit '防封采集要点' section is directly framed around avoiding bans while collecting data, which is a strong indicator of evasion-oriented design. In context, this materially lowers the barrier for persistent scraping and makes misuse easier for operators seeking to avoid platform enforcement.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The ban-check routine performs a synthetic like against a test note solely to probe enforcement state, causing an unrequested platform action with side effects. This is dangerous because it can create unauthorized interactions, pollute user activity, and normalize active probing of platform controls rather than validating status through passive signals or explicit user-approved actions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is described as a profile-analysis tool, but it also implements blacklist/suspicion detection that labels users based on heuristics like keywords in bios, engagement ratios, and posting times. This materially expands the behavior from analytics into risk scoring of individuals without disclosure, which can lead to misclassification, covert profiling, and downstream misuse in moderation or business decisions.

Vague Triggers

High
Confidence
94% confidence
Finding
The activation criteria are explicitly broad enough to trigger on vague phrases like '写一篇' or '帮我分析这个博主' even when the user may not have clearly requested Xiaohongshu actions. In an agent setting, over-broad routing can cause the assistant to invoke platform-specific automation, login checks, publishing, or interaction flows for an unintended service, increasing the risk of unauthorized actions or context confusion.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes generic terms like "种草" and "博主" that can appear in many unrelated conversations, which increases the chance that this social-media automation skill activates without clear user intent. In this context, unintended activation is more dangerous because the skill can perform platform actions such as posting, liking, collecting, and commenting, creating a path to unwanted account activity or privacy-impacting data access.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list contains broad terms like '安装', '配置', '第一次用', and 'setup', which are likely to appear in normal conversation unrelated to this MCP service. Overbroad activation can cause the assistant to enter a sensitive deployment/authentication workflow unexpectedly, increasing the risk of credential handling or account-affecting actions without clear user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation examples are ambiguous and do not clearly distinguish setup failures from ordinary discussion of deployment or first-time use. In a skill that handles login state, cookies, and MCP connectivity, ambiguous invocation criteria make accidental execution more dangerous because users may be guided into sensitive setup procedures unnecessarily.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs users to extract browser cookies and store them in a local config file without a prominent warning that these cookies are authentication secrets equivalent to account access. This can lead users to expose reusable session credentials, enabling account takeover or unauthorized posting if the file or copied value is leaked.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list is broad enough to match common words like “选题”, “内容策划”, “爆款”, and especially “content”, which can cause the skill to activate outside clearly intended Xiaohongshu-specific contexts. Over-broad activation can route unrelated user requests into a social-platform growth workflow, increasing the chance of unintended actions, misleading advice, or context confusion across the agent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example invocations like “帮我策划内容”, “选什么题”, and “怎么涨粉” are ambiguous and do not constrain the request to Xiaohongshu. In a multi-skill agent, such examples teach the router to associate generic marketing language with this skill, which can misfire on unrelated business, education, or general content-planning requests.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger set is overly generic, with common words like '浏览', '推荐', and '看详情' that can easily match unrelated conversation and cause unintended activation. Because this skill can perform data collection and analysis on social-platform content, accidental invocation expands the chance of privacy-impacting or policy-sensitive actions without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents large-scale note/comment collection, batch fetching, and JSON export of user-associated content without prominent notice about privacy, consent, retention, or downstream use. In this context, the ability to aggregate and locally store comments, nicknames, IDs, and metadata increases the risk of unauthorized profiling or bulk harvesting.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match common conversational words like '回复' or '互动', increasing the chance that the skill is invoked outside the user's intended context. In a skill that can perform account actions on a social platform, overbroad activation is dangerous because it can lead to unintended likes, comments, or other side-effecting operations.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The triggers "登录" and "扫码" are overly broad and can cause the skill to activate on unrelated user requests that merely mention logging in or scanning a code. In a skill that handles cookies, session state, QR login, SMS verification, and account switching, unintended activation increases the risk of credential-handling flows being invoked in the wrong context, potentially exposing sensitive auth operations or causing unsafe account actions.

Vague Triggers

Low
Confidence
80% confidence
Finding
The phrase "账号异常" is ambiguous and may match many account-related support scenarios outside this skill's intended scope. Because this skill can perform sensitive login-state and account-management operations, vague activation guidance can route users into authentication workflows unnecessarily, increasing the chance of mishandling credentials or performing unintended account changes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes highly generic phrases such as “发布”, “上传”, “写一篇”, and “post”, which are common across many unrelated tasks. This can cause the skill to activate outside its intended Xiaohongshu-specific context, leading to unintended execution of social-media posting workflows or misrouting user requests to a high-action automation skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation examples remain ambiguous because phrases like “发布图文”, “上传视频”, and “定时发布” do not clearly bind the action to Xiaohongshu. In the context of a skill that can post content and schedule publication, ambiguous routing increases the risk of accidental invocation and unintended content publication on the wrong platform or without sufficient user intent verification.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger set includes very generic phrases such as '博主', '主页', '粉丝', and 'profile', which can cause the skill to activate during ordinary conversation or ambiguous requests. In a skill that accesses account data and performs analysis, overbroad triggering increases the chance of unintended data retrieval, privacy-impacting actions, or surprising behavior without clear user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill collects and analyzes profile attributes, follower counts, engagement metrics, posting patterns, and collaboration value, but provides no user-facing privacy notice, data-handling explanation, retention limits, or consent boundary. Because the skill performs structured profiling of identifiable accounts, the absence of transparency and safeguards raises privacy, compliance, and misuse risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly describes storage locations for browser cookies and API tokens but does not warn that these are highly sensitive secrets or provide any guidance on filesystem permissions, encryption, redaction, or rotation. In an automation skill for a consumer platform, this increases the risk of credential theft, account takeover, and unintended persistence of reusable authentication material.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list is broad and generic, including terms like “搜索”, “热门”, and “search”, which are common in normal conversation and can cause the skill to activate outside the user’s intended platform or task. Over-broad activation expands the skill’s authority surface and may route unrelated user requests into a capability that performs automated collection and analysis on Xiaohongshu data.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation examples are phrased as ordinary user requests without strong boundaries, so a routing system may infer activation from vague language like “看看这个话题” or “找热门笔记.” In a multi-skill environment this can misfire into unintended automation, causing searches, scraping-like collection, or competitor analysis to occur when the user did not explicitly request Xiaohongshu operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal