xhs 多用户
Security checks across malware telemetry and agentic risk
Overview
The skill is transparent about automating Xiaohongshu, but it can control logged-in accounts, publish and interact publicly, scrape data, and use persistent anti-detection browser profiles, so it should be reviewed carefully before use.
Install only if you intentionally want an agent to automate Xiaohongshu with a logged-in account. Confirm every publish, comment, follow, like, collect, and bulk scrape action; protect or clean up the stored user-data directory; stop browser sessions when finished; and verify the package source and dependencies before use.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly, the agent could post, comment, follow, like, collect, or scrape using a Xiaohongshu account, affecting reputation, account standing, or platform compliance.
The skill explicitly combines public account-mutation actions, scraping, multi-account operation, persistent sessions, and anti-detection. These are coherent with the stated purpose but are high-impact and not shown to require a mandatory user confirmation before each public action.
publish image/video posts, interact (like/collect/comment/follow), scrape data, manage multiple accounts with isolated cookies and anti-detection
Only use it for explicit user-requested actions. Require a preview and confirmation before publishing, commenting, following, liking, or bulk actions, and limit the number of target URLs per run.
Anyone or any agent process with access to the skill's user-data directory may be able to reuse logged-in Xiaohongshu sessions.
The skill stores authenticated browser session state for each Xiaohongshu user. This is expected for account automation, but it is sensitive identity material.
user-data/ # Playwright persistent context (auto-saves cookies, localStorage)
Use a dedicated/secondary account if possible, protect the skill directory, and clean up user data when you no longer want the session stored.
Installing and using the skill can start local browser processes and run the included TypeScript CLI commands.
The static scan shows the skill starts a local browser process. That is expected for Playwright automation, but it means the skill can execute local browser binaries.
const browserProcess = spawn(executablePath, args, {Install only from a source you trust, review the configured browser path, and avoid pointing BROWSER_PATH at anything except a legitimate browser executable.
A browser session may remain active until stopped, preserving account access for later commands.
The skill documents a start/status/stop browser workflow, indicating it can keep an authenticated browser session running outside a single command.
| Browser start | `npm run browser -- --start [--user <name>]` | ✅ Implemented | ... | Browser stop | `npm run browser -- --stop` | ✅ Implemented |
Use the status and stop commands after automation tasks, and avoid leaving authenticated sessions running unattended.
Users have less registry-provided assurance about where the package came from before allowing it to automate an account.
The registry-level source provenance is incomplete, while the skill installs npm dependencies and controls a logged-in browser account.
Source: unknown; Homepage: none
Verify the repository/package origin and review dependencies before installation, especially because the skill can act as a logged-in user.