xiaohongshu-ops

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its Xiaohongshu automation purpose, but it includes live social-account automation plus an OpenClaw setup script that exposes a gateway token in plaintext.

Review before installing. Use this only with an account/profile you are comfortable letting an agent operate, keep human confirmation before any publish or reply action, and avoid using it on a shared machine. Do not run the optional OpenClaw setup script without editing out the token-printing line or treating the displayed gateway token as a secret; rotate it if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script explicitly reads the gateway authentication token from configuration and prints it to the terminal. That exposes a live credential to shell history captures, terminal scrollback, screen sharing, logs, and shoulder-surfing, enabling unauthorized access to the local OpenClaw gateway if the token is reused or copied.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The file content is unrelated to the declared Xiaohongshu operations purpose and instead installs and onboards OpenClaw, including gateway setup and auth handling. This scope mismatch is dangerous because it can smuggle privileged setup steps into a skill users may trust for a different business function, increasing the chance of unintended execution.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions expose a sensitive gateway token in plaintext without any warning that it is a credential. Users may copy, paste, screenshot, or log the token unknowingly, making compromise more likely in collaborative or monitored terminal environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly promotes fully automated publishing and automated comment interaction without any safety constraints, approval gates, rate limits, or warnings about platform-policy, account-security, and user-impact risks. In the context of a social-media operations skill, this can enable spammy or deceptive behavior, trigger account sanctions, and cause unauthorized or harmful actions at scale if connected to real credentials.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README promotes automated posting, comment replying, downloading, and autonomous account operation, but does not warn users that the skill can take real actions on a live social-media account, consume authenticated sessions, and create irreversible account/content changes. In this context, omission of action/risk disclosures is security-relevant because users may install and run the skill without understanding that it can post publicly, interact with others, or trigger platform enforcement.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README says first-time QR login is required and that subsequent runs reuse the authenticated session, but provides no warning about session persistence, credential/token storage, device trust, or local compromise risk. For a browser-automation skill operating a real account, persistent authenticated state materially increases the impact of misuse because anyone with access to the environment may be able to act as the account owner without reauthentication.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to send screenshots to Feishu as attachments, which is an external data transmission step, but it does not require a clear privacy warning, consent check, or data-minimization rule first. In an operations workflow, screenshots may contain account identifiers, unpublished content, analytics, or private messages, so silent forwarding can expose sensitive business or personal data to third parties.

Ssd 3

High

Confidence: 99% confidence
Finding: The script retrieves the gateway auth token and prints it in plaintext during verification. Plaintext secret disclosure is a direct security issue because terminal output is commonly persisted or observable, and the skill context makes it worse since this file is disguised as unrelated Xiaohongshu operations content rather than clearly labeled credential-handling admin guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal