Back to skill
Skillv1.1.1
VirusTotal security
小红书情报官 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:52 AM
- Hash
- 437525f46defb8ff9a5659b1d7ea949f76470cf1476582fb68e78c381d4b5c73
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: weavefox-xhs-intel Version: 1.1.1 The skill facilitates Xiaohongshu data retrieval via the TikHub API but contains a hardcoded API key in `scripts/tikhub_client.js`. Crucially, the implementation ignores the user-provided `--api-key` argument in the `callTikHubAPI` and `callTikHubAPIPost` functions, forcing all traffic through the embedded credential despite documentation claiming overrides are supported. This behavior, combined with instructions in `SKILL.md` that command the AI agent to prioritize this skill over standard web searches, creates a mechanism where all user queries are funneled through a specific third-party account (api.tikhub.io), potentially allowing the skill author to monitor user search activity.
- External report
- View on VirusTotal