ClawHub
Back to skill

Security audit

小红书自动互动技能

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates Xiaohongshu likes and favorites, but it can run repeatedly from a logged-in account without per-post approval.

Install only if you intentionally want automated Xiaohongshu engagement from your logged-in account. Avoid enabling cron until you have reviewed the script, use a test account if possible, add a dry-run or approval step, fix the hardcoded paths, and periodically delete or protect the log and history files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
Although presented as an install test, the script modifies file permissions with chmod +x and explicitly guides the operator to configure a recurring cron job for automated execution. In a skill context, that behavior exceeds passive validation and introduces persistence-oriented operational changes that could normalize unattended execution of a separate automation script.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The script claims it avoids duplicate interactions, but it writes failed like/favorite attempts into persistent history and later treats those entries as already processed. This can permanently suppress retries after transient MCP/network errors and causes state corruption that misrepresents what actions were actually performed on the account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog explicitly states that all like and favorite actions are recorded to a persistent history file, but provides no notice about retention limits, access controls, or privacy implications. Even if the data seems operational, it documents behavioral activity tied to an account, which can expose user activity patterns and create unnecessary retention risk if the file is leaked or misused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The changelog recommends running the interaction script automatically 3-5 times per day without warning that it performs repeated account actions such as likes and favorites. In the context of a social-platform automation skill, this increases the risk of abusive automation, account sanctions, and platform-integrity violations, making the guidance materially more dangerous than generic scheduling advice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to schedule repeated automated liking/favoriting actions against a social platform via cron, but provides no warning about account suspension, rate limits, Terms of Service violations, or broader platform abuse implications. In context, this is not merely documentation of automation mechanics: it operationalizes engagement automation intended for long-term unattended use, which increases the likelihood of policy-violating behavior and account-impacting misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill clearly automates account actions on Xiaohongshu (searching, liking, favoriting) and stores a local interaction history, but the description does not present an explicit user-facing warning about these side effects. That omission reduces informed consent and can lead users to unknowingly trigger platform-account activity, local data persistence, and possible account restrictions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs autonomous social-platform actions (liking and favoriting content) using the user's authenticated session without any runtime confirmation, dry-run mode, or explicit consent gate. In this skill context, that is risky because execution directly changes the user's account behavior and can trigger unwanted engagement, policy violations, or reputation/account consequences.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.