Skillv1.0.0

ClawScan security

📕 小红书 Agent Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 2:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the advertised Xiaohongshu CLI functionality, but it omits declaring the required authentication credential and reads a hardcoded cookie file path — these inconsistencies merit caution before installing or running.
Guidance: What to consider before installing: - This skill needs your Xiaohongshu session cookie (XHS_COOKIE) to act on your account. The registry metadata did not declare this, but the code and README do — do not install unless you accept providing that cookie. - The wrapper expects a cookies file at /root/.openclaw/workspace/xiaohongshu-cookies.md and will export it into XHS_COOKIE; that absolute path may not match your environment and could expose the cookie to other processes. Prefer using an environment variable you control if you proceed. - The README and SKILL.md instruct installing the xhs Python package from PyPI. Inspect the xhs library (and any transitive dependencies) before installing, and avoid --break-system-packages unless you understand the implications. Consider using an isolated virtualenv or container. - This skill can perform account actions (post/delete/comment). These are high-risk: frequent automated calls may trigger Xiaohongshu risk-control and lead to account restriction. Use test accounts and rate-limit calls. - If you want this skill to be considered coherent/benign, ask the maintainer to: (1) declare XHS_COOKIE (and the config file path, if they intend to use one) in the skill metadata, (2) avoid hardcoded absolute paths or make them configurable, and (3) provide an explicit install spec in the registry manifest.

Review Dimensions

Purpose & Capability: concernName/description match the included CLI and wrapper code: the skill provides search/publish/delete/comment/feed operations via the xhs Python SDK. However the registry metadata lists no required credentials or config paths while the code and SKILL.md clearly require an XHS cookie (XHS_COOKIE) or a cookies file. That mismatch (credential required but not declared) is an incoherence.
Instruction Scope: concernRuntime instructions and provided wrapper/CLI stay within the stated purpose (calling Xiaohongshu APIs). But the wrapper reads a hardcoded config file (/root/.openclaw/workspace/xiaohongshu-cookies.md) and sets XHS_COOKIE from it; this file path is not declared in registry metadata. The SKILL.md also instructs users to copy their browser Cookie value, which is sensitive. No other system-wide files are read, and there is no obvious exfiltration to unexpected endpoints.
Install Mechanism: noteThe skill is instruction-only from the registry perspective, but SKILL.md frontmatter and README instruct pip3 install xhs click (--break-system-packages). Installing third-party Python packages from PyPI is expected for this SDK, but the use of --break-system-packages and lack of an explicit install spec in registry metadata are noteworthy. No remote code downloads from obscure hosts or extracted archives are present in the bundle itself.
Credentials: concernThe code requires a session cookie (XHS_COOKIE) to operate, yet the registry lists no required env vars or primary credential. The wrapper attempts to load a cookie from a specific file under /root/.openclaw/workspace — an absolute path that may expose the cookie to other processes or be incorrect on the user's system. Requiring a browser cookie is proportionate for this purpose but the omission from declared requirements and the hardcoded path are problematic.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no persistent installation mechanism in the manifest. It runs as an invoked CLI wrapper and does not claim elevated privileges.