ClawHub

Xiaohongshu Ops

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can operate a live Xiaohongshu account and persist user/account work without enough clear consent and risk boundaries.

Install only if you intentionally want an agent to assist with a live Xiaohongshu account. Before using it, require manual confirmation before any publish or comment send, avoid letting it run bulk replies, review what it writes into knowledge-base/style-learning files, and remove or ignore the instruction that suggests bypassing sensitive-person or copyright refusals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill contains contradictory guidance: one section explicitly says never to automate Xiaohongshu because it can trigger platform detection, while other sections instruct browser-based login, navigation, reply sending, and progressing to the publish screen. This inconsistency can lead an agent to perform risky automation on a platform that appears sensitive to automated behavior, exposing accounts to warnings, suspension, or unintended actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill says it is 'not posting', but the workflow still drives the agent deep into the creator backend up to the visible publish button and permits posting after confirmation. That creates a misleading safety boundary: an operator may assume the skill is passive while it actually performs high-risk account actions in a live production environment.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The prompt assembly guidance explicitly tells the model that if content involves sensitive people or copyrighted material, it should generate a similar substitute depiction instead of refusing. That is a safety-bypass pattern because it preserves the user's prohibited goal while trying to evade downstream safeguards, and it is not necessary for normal Xiaohongshu image operations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file is presented as an evaluation/extraction reference, but it also includes DOM automation that focuses a contenteditable element, inserts text, and dispatches an input event. That crosses from passive scraping into active UI interaction, which can be reused to automate comments or replies on the platform and increases abuse potential for spam, manipulation, or unauthorized posting workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes automated posting and automatic comment replies for a social media account, but provides no warning, approval gate, or discussion of risks such as unintended publication, misleading engagement, account policy violations, or reputational harm. In this skill context, the capability is central to the tool and therefore more dangerous, because it operationalizes autonomous public-facing actions at scale via task delegation from Feishu/Openclaw.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation scope is broad enough to auto-route many general lifestyle or social-commerce requests into this skill, increasing the chance that users are subjected to account-operational workflows, file persistence, and platform-specific behavior they did not intend. Over-broad triggering is dangerous because it expands the blast radius of the skill's more sensitive behaviors.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to read, modify, and delete local handoff files automatically, but does not prominently disclose that user data and intermediate work products will be changed on disk. Silent file mutation can cause data loss, overwrite prior work, or consume materials from other workflows without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs proactive storage of task outputs and operational history into a knowledge base without first obtaining clear user consent. This creates privacy and retention risks because user content, account analysis, and workflow details may be persisted beyond the immediate task unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The persona is entirely written as a Chinese-only Xiaohongshu account voice and gives no indication that the agent should adapt to the user's preferred language. In practice, this can override user choice and cause unwanted language switching, reducing usability and creating a prompt-level policy conflict, though it is not a direct security exploit.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file is entirely written in Chinese and is framed as a mandatory workflow for generating and evaluating Xiaohongshu titles, with no indication that the agent should adapt to the user's requested language. In a multilingual agent environment, this can cause the skill to override user language preference, degrade usability, and lead to unintended disclosure or miscommunication if content is produced in a language the user did not request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs persisting account checkup results into a knowledge-base file, and those results may include sensitive business context such as account positioning, red lines, validated growth tactics, and potentially identifiable account names. Without an explicit consent check, retention policy, or data-minimization guidance, the agent could store user-provided operational data beyond the immediate task, creating privacy and confidentiality risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill mandates long-term retention of user/task data in a knowledge base and style-learning pipeline, including recording original and final drafts and building reusable style pairs over time. This is dangerous because it enables silent accumulation of potentially sensitive content, behavioral history, and derived profiling data beyond the current task, increasing privacy, leakage, and secondary-use risk.

Ssd 1

Medium
Confidence
99% confidence
Finding
The instruction 'if sensitive people or copyrighted content are involved, draw a similar cartoon substitute—do not refuse' is an explicit reframing of prohibited requests into a near-equivalent output. This undermines downstream safety policies by encouraging the model to satisfy restricted requests through imitation rather than compliant refusal or safe redirection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal