Back to skill
Skillv1.0.1
ClawScan security
小红书MCP增强版 by Chaceclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 23, 2026, 9:33 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions align with its stated purpose (XHS automation) but includes installation and configuration guidance that relies on unverified packages/images and optional webhook settings that could leak sensitive tokens—review before use.
- Guidance
- This skill appears to do what it says (automate Xiaohongshu via an external MCP service) but you should not blindly run its suggested installers or paste credentials into files without verifying the MCP implementation. Before installing/using: - Inspect the xiaohongshu-mcp package/image source (npm and Docker publisher, repository, and code) and prefer official/verified releases. - Treat the ~/.config/xiaohongshu cookies/tokens as full-account credentials: do not share them, store with strict permissions, and avoid keeping plaintext backups. - Avoid setting webhook_url to an untrusted external endpoint; it could leak refresh notifications or be abused. If you need notifications, use a trusted internal endpoint. - Run new MCP installs in an isolated environment (container or VM) and limit network access where possible. - Consider manual token refresh and local-only operation if you cannot validate the MCP package. If you cannot verify the upstream MCP tool and publisher, classify this skill as high-risk and do not provide your account cookies or enable automated operations.
- Findings
[no_regex_matches] expected: The static regex scanner found nothing to analyze; this is typical for an instruction-only skill composed of docs/recipes. Absence of matches is not evidence of safety—manual review of installation recommendations and config handling is necessary.
Review Dimensions
- Purpose & Capability
- okName/description match the content: all files are XHS-focused and consistently require an external xiaohongshu-mcp MCP service (check_login_status, post_note, search_feeds, etc.). Asking the user to provide cookies/tokens and local config files is proportionate to an automation assistant for a web service.
- Instruction Scope
- noteSKILL.md files are narrowly scoped to XHS operations and repeatedly require use of the xiaohongshu-mcp tool; they explicitly forbid substituting other tooling. They instruct saving cookies/tokens under ~/.config/xiaohongshu and show an optional webhook_url for refresh notifications — the webhook option could be used to send sensitive info externally if misconfigured, so treat it as a potential exfiltration vector.
- Install Mechanism
- concernThere is no enforced install spec in the skill bundle, but the setup guide recommends running npx xiaohongshu-mcp@latest and docker pull xiaohongshu-mcp:latest. Those commands fetch and run code from external registries/images with no homepage, author provenance, or verified release information in the skill metadata — this is reasonable for a connector but increases supply-chain risk and warrants verifying the package/image source before running.
- Credentials
- noteThe skill declares no required env vars, which is coherent, but it instructs storing highly sensitive authentication material (browser cookies, device_id, tokens) in ~/.config/xiaohongshu/*. Those are necessary for account automation but are sensitive by nature. The optional webhook_url field in the config could forward notifications (and, if misused, secrets) to external endpoints — optional but high-impact if misconfigured.
- Persistence & Privilege
- okalways:false and no unusual persistence requests. The skill expects the platform to have an MCP connector available; autonomous invocation (default) would allow it to call MCP tools to act on accounts, which is expected for this type of automation. This becomes higher-risk only if combined with untrusted MCP installs or exposed credentials.