ClawHub

小红书种草数据采集

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a Xiaohongshu data-collection assistant, but it includes under-scoped scraping/session helpers and an unexpected Douyin fallback path that users should review before installing.

Install only if you trust MaxHub/aconfig.cn with your API key and any Xiaohongshu cookies or tokens you provide. Use a dedicated test account where possible, avoid supplying personal browser cookies, and review or remove the Douyin fallback and visitor-cookie/signing endpoints if you need a strictly Xiaohongshu-only read-only assistant.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill explicitly asserts that all endpoints are legitimate Xiaohongshu read-only APIs, yet later documents downgrade paths to unrelated Douyin endpoints. This inconsistency can misroute user requests to a different platform than disclosed, undermining informed consent and potentially causing unintended cross-platform data access or transmission.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
A Xiaohongshu-only assistant should not contain documented behavior that falls back to Douyin API paths. If implemented, this creates a hidden expansion of capability beyond the stated purpose, which can send user queries, identifiers, or credentials to services outside the expected scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Documenting cross-platform Douyin capability in a Xiaohongshu skill is unjustified by the stated functionality and broadens the operational scope without clear user disclosure. Even if not malicious, it increases the chance of accidental platform mixing, policy violations, and transmission of user request data to unintended endpoints.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented `get_visitor_cookie` and `sign` endpoints materially extend the skill from passive data lookup into anti-bot bypass and session/bootstrap capabilities. In combination with the many scraping endpoints, these features can be used to automate collection at scale, impersonate browser traffic, and facilitate access patterns that the target service is trying to gate or rate-limit.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The example prompts are extremely generic single words or short phrases such as '搜索', '用户', and '话题'. In agent systems that use prompt matching or trigger heuristics, these broad terms can cause the skill to activate during ordinary conversation, unintentionally sending user requests or context to this external Xiaohongshu data skill. Because the skill accesses third-party APIs and may process user queries broadly, accidental invocation increases privacy, data exposure, and unexpected action risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README documents very broad trigger examples such as “笔记”, “详情”, “用户”, and “搜索”, which are common words in normal conversation. In an agent environment, overly generic invocation phrases can cause accidental skill activation and unintended API calls, especially for a data-access skill that queries user, note, product, and search endpoints.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file advertises bearer-token authentication at the top level and later documents use of user-supplied cookies and proxies, but provides no security guidance on safe handling, storage, redaction, or misuse risks. This increases the chance that operators or downstream agents will pass sensitive credentials into requests without understanding exposure, retention, or account-abuse implications.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
A large set of endpoints expose user info, comments, note details, engagement metrics, location-like fields, and public activity data without any accompanying privacy or data-minimization warning. Even if the data is nominally public, the skill enables aggregation and profiling at scale, which raises meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to authenticate to an external domain with a bearer token but does not warn that API keys and request parameters will be transmitted to a third-party service. In a skill context, this can lead to inadvertent credential exposure or unexpected sharing of user/query data, especially if an agent operator assumes requests are local or vendor-native.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly instructs users to authenticate with a bearer API key but provides no warning about keeping that credential secret, avoiding client-side exposure, or rotating/revoking it if leaked. In an agent skill context, this increases the chance that downstream integrators hardcode the key in prompts, logs, front-end code, or shared configs, enabling unauthorized API use.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This documentation exposes APIs for follower lists, following lists, and user search over social-media account data without any guidance on privacy, lawful basis, consent, rate limits, or acceptable use. In a data-collection skill, that omission can enable misuse for profiling, scraping, or surveillance of users at scale, especially because the documented endpoints are operational and easy to invoke.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The file shows Bearer-token authentication but provides no warning about protecting the API key, avoiding client-side exposure, or rotating compromised credentials. While common in API docs, this omission increases the chance that integrators embed secrets in prompts, logs, front-end code, or shared examples, leading to credential leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file documents security-sensitive parameters such as xsec_token without any warning that they may function as access tokens or session-bound identifiers. In a skill focused on querying Xiaohongshu data across app/web APIs, this omission can encourage unsafe collection, logging, sharing, or reuse of tokens, increasing the risk of unauthorized access to note, comment, or product-related data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation lists user_id and visitor-cookie-related identifiers as normal inputs without warning that they may be privacy-sensitive or enable tracking, enumeration, or profile collection. Given this skill's broad support for user, follower, following, and visitor-oriented endpoints, the lack of privacy guidance makes mass data gathering and mishandling of identifiers more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal