Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
redbook
v0.7.2Search, read, analyze, and automate Xiaohongshu (小红书) content via CLI
⭐ 2· 1.3k·8 current·9 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Xiaohongshu CLI that uses browser cookies) matches the code and SKILL.md: the package provides a 'redbook' binary, cookie-extraction logic, request signing, and API calls to XHS endpoints. Minor mismatch: README claims multi-OS support, but the SKILL.md/metadata restricts the skill to macOS — this is a small metadata inconsistency but not a functional break.
Instruction Scope
SKILL.md instructs agents to install the npm package and run the redbook CLI (search/read/analyze/post). It explicitly relies on reading local browser cookies (Chrome profile paths, keychain access) which is necessary for cookie-based auth. The SKILL.md includes a pre-scan 'base64-block' injection signal (see scan_findings). Allowed-tools include Read/Write/Bash which lets the agent run CLI commands and read local files — appropriate for the stated workflow but grants access to browser cookie storage and local state files.
Install Mechanism
Install uses an npm package (@lucasygu/redbook) (expected). However the package's postinstall script performs two notable actions: (1) creates a symlink at ~/.claude/skills/redbook to auto-register the skill with Claude Code, and (2) patches files inside node_modules/@steipete/sweet-cookie to change keychain timeout and SQL handling. Both are written to disk during install and modify user/home paths and dependency internals — behavior that is explainable for integration/compatibility but is intrusive and increases risk compared to a pure instruction-only skill or a package that does not alter other on-disk tooling.
Credentials
The skill does not request cloud API keys or unrelated credentials in requires.env. It uses browser cookies (a1, web_session) to authenticate, which is proportional to its functionality. The package discusses optional Gemini integration (GEMINI_API_KEY) but does not require it by default.
Persistence & Privilege
always:false (normal). The postinstall symlink registers the skill with Claude Code by writing to ~/.claude/skills, giving the skill an automatic invocation path in that tool — this is a persistent side-effect of installation (but not an 'always:true' global activation). The package also modifies dependency files inside node_modules on install (persistent until package removed), which is an additional persistence risk to be aware of.
Scan Findings in Context
[base64-block] unexpected: A base64-block pattern was detected in SKILL.md. The SKILL.md primarily contains usage docs and examples; base64 blocks are not required for a CLI README and may indicate embedded data or an attempt at prompt injection. This finding is worth manual review of the SKILL.md content in the repository to see what the base64 encodes and why it is present.
What to consider before installing
What to consider before installing/running this skill:
- This package authenticates by reading your browser cookies (Chrome). That requires access to Chrome profile files and on macOS may trigger Keychain prompts; if you are logged into a Xiaohongshu account you supply those session credentials to the tool. Only install this if you trust the source and understand cookie-based auth risks.
- The npm postinstall script will: (a) create a symlink at ~/.claude/skills/redbook so Claude Code gains an automatic /redbook command, and (b) patch files inside node_modules/@steipete/sweet-cookie to change timeouts/SQL behavior. These are intrusive, persistent changes done without a separate opt-in step. If you prefer not to have automatic registration or dependency patching, avoid running install scripts (e.g., use npm with scripts disabled) or review/modify scripts before running.
- The code is coherent with its stated purpose (search/read/analyze/post). Still, review src/lib/client.ts and src/lib/cookies.ts yourself to confirm which remote endpoints are contacted and to validate error handling. Look for any unexpected outbound endpoints beyond the described XHS APIs.
- The pre-scan flagged a base64-block inside SKILL.md. Inspect that encoded content to ensure it is benign (e.g., an embedded image or sample) and not malicious prompt injection or hidden instructions.
- Safer ways to evaluate: run the CLI in an isolated environment or VM; test with a throwaway XHS account; or install without running postinstall (npm install --ignore-scripts) then manually inspect/enable the behaviors you want. If you rely on Claude Code integration, review ~/.claude/skills after installation and the package's postinstall script to confirm the symlink target.
- If you are not comfortable with local modifications (symlink or dependency patches) or giving a CLI direct access to browser session cookies, do not install or only use a vetted, reviewed binary/source.src/lib/cdp-cookies.ts:69
Shell command execution detected (child_process).
src/lib/cdp-cookies.ts:48
Environment variable access combined with network send.
src/cli.ts:30
File read combined with network send (possible exfiltration).
src/lib/client.ts:586
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97btgc9cxgjdx2ctshfjs6sks84ph0d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSmacOS
Binsredbook
Install
Node
Bins: redbook
npm i -g @lucasygu/redbook