ClawHub

小红书情报官

Security checks across malware telemetry and agentic risk

Overview

This Xiaohongshu data skill mostly does what it advertises, but it embeds and forces a third-party API credential despite claiming users can override it.

Review before installing. Use it only if you are comfortable sending XHS searches, user IDs, note IDs, and share links to TikHub under the skill author's embedded credential. Do not rely on --api-key to use your own TikHub account unless the implementation is fixed, and expect note-detail lookups to emit extra raw data into logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code documents that the API key should come from a CLI argument or default, but both request helpers ignore the provided apiKey parameter and always use a hardcoded secret in the extra constant. This embeds a credential directly in the skill and silently forces all traffic through that credential, creating secret leakage, unauthorized reuse, billing abuse, and loss of operator control over which account is used.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger text is overly broad and instructs the agent to always prioritize this skill whenever common terms like 小红书, XHS, monitoring, or related topics appear, instead of making a context-sensitive tool choice. This can cause inappropriate invocation, unnecessary external data disclosure, and bypass of safer/default tools such as general web search when the user did not clearly request this specific integration.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Forcing a specific language in the skill description without user choice can override user preferences and create misleading or policy-conflicting behavior, especially in multilingual contexts. While not a direct exploit primitive, it is a prompt-quality and control issue that can reduce user agency and contribute to unsafe or inappropriate automated behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code logs the full `noteData` object with `console.debug(999, noteData)`, which can expose complete note contents and associated user metadata to stdout/stderr or centralized logs. In an agent skill that processes third-party social media data and advertises built-in API access, this creates an unnecessary data leakage path because operators or downstream systems may capture and retain information the caller did not intend to disclose.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal