ClawHub

📕 小红书 Agent Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears legitimate, but it can use a full Xiaohongshu account cookie to post, delete, and comment without built-in confirmation safeguards.

Install only if you are comfortable letting an agent act through your Xiaohongshu session. Use a test account where possible, keep the cookie private, avoid plaintext cookie storage, and require manual approval before any publish, delete, or comment command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill uses environment-based secrets (`XHS_COOKIE`) and a local cookie file for authentication, but no explicit permissions are declared. In an agent ecosystem, undeclared access to environment variables or local secret material reduces transparency and can lead to unintended credential exposure or use without informed user consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The declared description understates the actual capabilities: beyond posting, searching, and comment management, the skill can delete notes, inspect users, enumerate notes, fetch personalized feed data, and read authentication cookies from disk. This mismatch is dangerous because users and orchestrators may authorize the skill under a narrower trust assumption than the actions it can actually perform.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
import time

for keyword in ["Python", "机器学习", "数据分析"]:
    subprocess.run(f"xiaohongshu-wrapper.sh note search --keyword '{keyword}'", shell=True)
    time.sleep(3)  # 避免风控
```
Confidence
97% confidence
Finding
subprocess.run(f"xiaohongshu-wrapper.sh note search --keyword '{keyword}'", shell=True

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal