ClawHub

Xhs

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Xiaohongshu automation purpose, but it asks for real account control, browser cookies, and persistent system services that need careful review.

Install only if you are comfortable running a persistent local MCP service that can act through your Xiaohongshu account. Verify the downloaded xiaohongshu-mcp release yourself, prefer QR login over pasting browser cookies, require a preview and explicit confirmation before posts/comments/likes/favorites/product actions, and know how to stop the services and delete stored cookies afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill directs installation of host packages, creation of systemd units, enabling services at boot, downloading binaries from the internet, and launching persistent background services. Those are administrator-level host modification and persistence actions that far exceed a normal content-assistant role, making compromise or misuse much more damaging. In this skill context, they are especially dangerous because they normalize broad system control under a consumer social-media automation label.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Reading ~/.openclaw/openclaw.json to enumerate available models is unrelated to Xiaohongshu operations and exposes local configuration data without a clear need. Even if only model names are extracted, this unnecessarily broadens the skill’s access to local environment details and can leak provider metadata or operational configuration.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is presented as an environment check, but it also mutates system state by starting Xvfb and the MCP service, including background execution. This mismatch is dangerous because operators may run it expecting read-only diagnostics, while it actually launches services and persistent processes without explicit consent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The header comments describe the file as a simple environment check script, but the implementation performs automatic remediation and service startup. Misleading labeling lowers operator vigilance and increases the chance of unintended state changes on the host.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger scope is extremely broad, covering effectively any Xiaohongshu-related mention. Overbroad activation increases the chance the skill runs in contexts where users did not intend privileged actions such as publishing, login handling, or local command execution, which can lead to surprising or harmful side effects.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs users to paste browser cookies and persists them to disk for authenticated reuse, but it does not provide strong warnings about credential theft, session hijacking, reuse risk, or secure disposal. Browser cookies are effectively authentication secrets; collecting and storing them in a skill materially raises account-compromise risk, especially in a social-media automation context.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill enables publication, comments, likes, favorites, and other external-account actions without a unified, prominent warning that these are real side-effecting operations. In practice, users may underestimate that the skill can post publicly or interact from their logged-in account, leading to accidental reputation, compliance, or account-safety harm.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script attempts to start Xvfb automatically when it is not running, without any prior confirmation. Unprompted service startup changes runtime state and can violate user expectations, especially in shared, production, or least-privilege environments.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script automatically starts the MCP service and, if needed, launches it under nohup in the background, creating a persistent process without clear warning. This can leave unexpected long-lived software running and makes a supposedly diagnostic command operationally invasive.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits user-provided content to a user-specified external API endpoint but only shows a generic progress message, not an explicit consent or privacy warning. In an agent-skill context, users may assume content stays local or within the agent platform, so silent transmission of arbitrary prompt content can expose sensitive notes, drafts, or personal data to third parties.

Ssd 3

High
Confidence
98% confidence
Finding
The instructions explicitly facilitate receiving user authentication cookies, transforming them, and storing them for subsequent authenticated actions. That is a direct workflow for handling sensitive credentials and maintaining reusable sessions, which can enable account takeover or misuse if the data is exposed, logged, or reused beyond the user’s intent.

External Transmission

Medium
Category
Data Exfiltration
Content
)

  echo "🔄 正在生成小红书爆款标题..."
  RESULT=$(curl -s -X POST "$API_URL" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $API_KEY" \
    -d "$PAYLOAD")
Confidence
95% confidence
Finding
curl -s -X POST "$API_URL" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_KEY" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
)

  echo "🔄 正在生成小红书正文..."
  RESULT=$(curl -s -X POST "$API_URL" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $API_KEY" \
    -d "$PAYLOAD")
Confidence
95% confidence
Finding
curl -s -X POST "$API_URL" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_KEY" \ -d

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal