ClawHub

redbook

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Xiaohongshu automation tool, but it needs review because it automatically uses browser login cookies, registers itself into agent environments, and can post or delete content on your account.

Install only if you are comfortable giving a local agent tool access to your active Xiaohongshu browser session and account actions. Review the postinstall behavior first, avoid pasting raw cookies into prompts or shell history, use a dedicated browser profile if possible, and treat post, comment, batch-reply, collect/like, upload, and delete commands as real account-changing actions that need explicit human approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation contains contradictory statements about whether like operations are supported, which undermines operator understanding of what the tool can actually do. Security-relevant docs inconsistencies are risky because they can hide real write capabilities, break policy enforcement, and lead reviewers to underestimate account-impacting actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The post-install script performs nontrivial local side effects: it creates or replaces a symlink in ~/.claude/skills and rewrites files inside node_modules for a dependency. These behaviors exceed a typical install-time setup for a Xiaohongshu CLI and create a trust-boundary issue because package installation implicitly modifies the host environment and future runtime behavior without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Automatically symlinking the package into ~/.claude/skills installs an agent capability into Claude Code as a side effect of npm install, which is unexpected for the stated CLI purpose. This can broaden the package's execution surface and persistently expose the skill to the user's agent environment without explicit authorization.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI can directly extract authenticated Xiaohongshu cookies from local browser profiles, which grants access to active sessions without requiring the user to re-authenticate in the tool. In a skill whose stated purpose does not prominently disclose credential/session harvesting behavior, this creates a sensitive trust boundary violation and materially increases the risk of account takeover or unauthorized actions if the tool is abused or extended.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code discovers or launches a local Chrome instance, attaches to the DevTools endpoint, and issues Network.getAllCookies to retrieve decrypted browser cookies. That is a sensitive capability far beyond ordinary content search/analysis and materially increases the skill's ability to access local secrets, including authenticated session tokens.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The public API suggests only CDP-based extraction, but the implementation also copies Chrome profile files, including cookie databases and Local State, into a temporary directory. This hidden expansion of behavior is security-relevant because it duplicates sensitive browser data on disk and can surprise callers who did not consent to local profile copying.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements write and destructive capabilities far beyond the stated skill purpose of searching, reading, analyzing, and automating content. It can like, comment, collect, delete notes, upload files, and create posts, which creates a significant scope mismatch that can mislead users and enable unintended account actions if the skill is invoked with authenticated cookies.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The uploadFile method reads an arbitrary local path with fs.readFileSync and transmits the bytes to a remote Xiaohongshu upload host. In a skill advertised mainly for search/read/analyze automation, this is a sensitive capability because it can exfiltrate local files if higher-level inputs are not tightly constrained.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This file contains curated browser fingerprint data intended to make automation appear like a real user environment, including GPU strings, screen resolutions, plugins, and fonts. In the context of a Xiaohongshu automation skill, this supports anti-detection evasion and can facilitate scraping or automated actions while bypassing platform defenses, which is a risky capability beyond ordinary CLI content retrieval.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This module generates a highly detailed synthetic browser fingerprint, derives anti-bot telemetry, and signs requests in a way that appears designed to emulate a real browser session. In the context of a CLI skill for automating Xiaohongshu content, that meaningfully increases misuse potential by enabling stealthier scripted access and bot-detection evasion beyond ordinary API consumption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly tells users to hand an AI agent an installation-and-verification prompt, states the agent will 'handle cookie issues', and relies on browser session cookies for authentication. That creates a real risk of exposing live Xiaohongshu session tokens to an agent or surrounding tooling without clear warnings about account takeover, privacy exposure, or the sensitivity of browser cookies.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The command examples include commenting, replying, collecting/uncollecting, batch replies, and publishing posts, all of which perform authenticated, externally visible account actions. Presenting them as routine quick-start commands without strong warnings about side effects, reversibility, spam risk, or account penalties can cause unintended actions when used through an autonomous agent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document proposes sending user-provided topics/content to Gemini via an external API but does not mention any user-facing privacy notice, consent, or data handling warning. In a skill context, this can lead operators to unknowingly transmit sensitive prompts, account content, or business data to a third-party service, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The delete command performs a destructive account action immediately after parsing the URL, with no confirmation prompt, dry-run, ownership validation in the CLI layer, or safety interlock. This increases the chance of accidental data loss from mistyped IDs, pasted URLs, automation mistakes, or misuse of a compromised session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function copies Local State and cookie database files from the user's Chrome profile to a temp directory, creating an additional plaintext-accessible replica of highly sensitive browser state. Without prominent user warning and consent, this is a privacy and security issue because the temp copy may expose session tokens to other local processes, forensic recovery, or accidental retention.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This code sends local file contents to a remote host using a provided path and upload token, without any indication of user confirmation at this layer. In the context of a skill whose description does not prominently disclose local file exfiltration, that capability is security-sensitive and can be abused by an upstream agent or prompt flow.

Missing User Warnings

High
Confidence
93% confidence
Finding
The deleteNote method performs an authenticated destructive action with no built-in confirmation, safety interlock, or indication that the action is irreversible. In an agentic setting, this increases the risk of accidental or unauthorized content deletion from a user's account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code intentionally extracts authenticated browser cookies from local browser stores and, if that fails, falls back to Chrome DevTools Protocol to bypass encryption barriers. Even if presented as a convenience feature, this is credential-access behavior that can recover active session tokens and enable account impersonation without requiring the user's password.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
This code automates posting replies to Xiaohongshu comments via `client.replyComment(...)` without any built-in disclosure, approval checkpoint, or provenance marker indicating the response was generated or sent automatically. In a social-platform automation skill, undisclosed automated engagement can mislead users, violate platform policies, and enable scalable spam or impersonation-like behavior if the caller supplies deceptive templates.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The fingerprint generator serializes all provided cookies into x57 and incorporates that data into generated anti-bot telemetry, which can expose session-related secrets to downstream services or logs. Embedding cookies into opaque telemetry without clear minimization or user notice increases the risk of credential leakage, unintended data sharing, and replay/abuse if those values are captured.

Ssd 4

Medium
Confidence
94% confidence
Finding
The onboarding flow encourages agent-mediated authenticated access using browser cookies and suggests the agent can troubleshoot cookie problems automatically. In skill context, this is more dangerous because the agent is being positioned as an end-to-end operator over a real user account, increasing the chance of credential exposure and unintended authenticated actions.

Ssd 4

High
Confidence
97% confidence
Finding
The troubleshooting section gives a concrete escalation path to obtain raw session cookies from the browser and paste them directly into commands. Raw session cookies are reusable bearer credentials; if captured by an agent, shell history, logs, screenshots, or telemetry, they can enable full authenticated access to the user's Xiaohongshu account.

Ssd 4

Medium
Confidence
93% confidence
Finding
The English onboarding repeats the same risky model: instructing users to give an AI agent a prompt that installs the tool, verifies access, and handles cookie issues. That normalizes handing credential-adjacent workflows to an agent and increases the chance of session token disclosure or silent account actions.

Ssd 4

High
Confidence
98% confidence
Finding
This section provides step-by-step instructions to retrieve live cookie values from Chrome DevTools and use them directly for authentication. In context, that is highly dangerous because it operationalizes extraction of bearer tokens and makes accidental disclosure through logs, prompts, copied commands, or agent memory much more likely.

Credential Access

High
Category
Privilege Escalation
Content
- Uses `@steipete/sweet-cookie` to read browser cookies
- Auto-discovers Chrome profiles via `~/Library/Application Support/Google/Chrome/Local State`
- Keychain timeout patched to 30s in node_modules (upstream bug: hardcoded 3s)
- `--chrome-profile` flag available as escape hatch, but auto-discovery handles most cases
Confidence
92% confidence
Finding
Keychain

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal