ClawHub

xhs-search

Security checks across malware telemetry and agentic risk

Overview

This is mainly a Xiaohongshu search skill, but it exposes logged-in account actions like liking, favoriting, and publishing without clear safeguards.

Review this as a write-capable logged-in Xiaohongshu integration, not just a passive search helper. Install only if you trust the third-party MCP binary and are comfortable with long-lived local cookies; avoid startup persistence unless needed, and require explicit user approval before any like, favorite, or publish action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a search/reporting tool, yet the documented toolset includes state-changing functions such as liking, favoriting, and publishing content. This scope mismatch is dangerous because users or orchestrators may invoke the skill under the assumption of passive retrieval while it actually has authority to modify an authenticated account.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Exposing like, favorite, and publish operations in a skill branded for content search creates an unsafe capability escalation path. In the context of a logged-in social-media account, these actions can change account state, create public posts, and cause reputational or policy consequences without users expecting such behavior.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Broad trigger phrases increase the chance of accidental invocation during normal conversation, especially for generic requests like analysis or report generation. Because this skill can reach an authenticated service and exposes write-capable tools, mis-triggering is more dangerous than for a purely local or read-only skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the skill uses a logged-in Xiaohongshu account and persistent local cookie state, but it does not prominently warn about privacy, account access, or potential misuse of authenticated data. In this context, authenticated scraping and profile/detail access can expose private browsing/account context and create user-consent gaps.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill documents write actions that directly affect the user's authenticated account, yet it does not provide clear warnings about reputational impact, accidental engagement, posting, or platform-enforcement risk. In a social platform context, publishing or interacting as the user can have immediate and externally visible consequences.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal