ClawHub

xhs-auto

Security checks across malware telemetry and agentic risk

Overview

This Xiaohongshu helper is coherent, but it includes live account publishing and external image-service uploads without a clear final approval boundary.

Install only if you are comfortable with an agent preparing Xiaohongshu posts, saving drafts and images in the workspace, sending image prompts or selected base images to external providers, and potentially using `xhs-kit` with a logged-in account. Use `debug-publish` first, review the exact title, body, tags, images, account, and schedule, and require an explicit confirmation before any live `xhs-kit publish` command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares executable dependencies and instructs use of shell, networked tools, environment variables, and external services, but it does not declare permissions or present clear capability boundaries. This creates a transparency and consent problem: users and enforcement layers may not realize the skill can transmit data externally, invoke local commands, or access environment-configured endpoints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior presents a full Xiaohongshu publishing workflow, but the described implementation appears incomplete while still invoking external image-generation services and publication-related tooling. This mismatch is dangerous because users may trust the skill with content, credentials, or publishing actions under false assumptions about what is actually automated, validated, or transmitted to third parties.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases shown are broad everyday requests like 'help me write a Xiaohongshu post' or 'help me publish one,' which can overlap with ordinary conversation and cause unintended activation. In this skill's context, accidental invocation is more dangerous because activation can lead to content generation, workspace writes, and potential external publishing/debug API interaction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that generated copy and images are stored under the workspace, but it does not warn users that potentially sensitive drafts, prompts, and image paths will be persisted on disk. This can expose unpublished marketing content, personal ideas, or user-provided assets to other local processes, future sessions, or accidental sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes using publish/debug-publish flows and external image-generation services but does not disclose that user content, prompts, and possibly images may be transmitted to third-party services or platform tooling. In this context, that omission is risky because drafts intended for local editing or private review could be sent off-box without informed consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The formal publish section describes commands that perform real account actions but does not clearly foreground that content will be uploaded to a live third-party account and may have irreversible platform, moderation, privacy, or reputational effects. In an automation skill, this omission increases the chance that users or downstream agents invoke live publishing unintentionally, causing unauthorized or premature posts under a logged-in account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly describes sending prompts and, in edit mode, user-supplied base images to third-party API providers, but it does not warn users that their content will leave the local environment and may be retained, logged, or processed by external services. In a content-publishing workflow, prompts and images may contain unpublished marketing material, personal data, or sensitive media, so the omission can lead to unintended data disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the user-supplied prompt and, in edit mode, the local image file to third-party provider endpoints using curl without any explicit consent prompt, sensitivity check, or strong disclosure at execution time. In an automation skill, this can cause inadvertent exfiltration of private images or confidential text to external services, especially if the caller assumes all processing is local.

External Transmission

Medium
Category
Data Exfiltration
Content
'{model: $model, prompt: $prompt, size: $size, n: 1} | if $seed != "" then .seed = ($seed|tonumber) else . end')

  local response
  response=$(curl -sS -X POST "${ENDPOINT_BASE}/v1/images/generations" \
    -H "Authorization: Bearer ${API_KEY}" \
    -H "Content-Type: application/json" \
    -d "$payload") || {
Confidence
91% confidence
Finding
curl -sS -X POST "${ENDPOINT_BASE}/v1/images/generations" \ -H "Authorization: Bearer ${API_KEY}" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal