ClawHub

Xiaohongshu Deep Research

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent instruction-only Xiaohongshu research workflow, but it relies on a separately trusted local MCP service and a logged-in Xiaohongshu account.

Before using this skill, make sure you trust the xiaohongshu-mcp service, are comfortable using a logged-in Xiaohongshu account for searches, and know that reports and raw search metadata will be saved under ~/xiaohongshu-research.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

Searches may be performed using the user's logged-in Xiaohongshu account via the MCP service.

Why it was flagged

The workflow depends on a logged-in Xiaohongshu account through a local service. This is purpose-aligned for Xiaohongshu research, but it is account-backed access that users should knowingly provide.

Skill content
- xiaohongshu-mcp 服务运行中 (`http://localhost:18060/mcp`)
- 已登录小红书账号
Recommendation

Use an account you are comfortable using for this research, and confirm the MCP service's account/session handling before relying on it.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The safety and privacy of the research workflow partly depend on the separately installed local MCP service.

Why it was flagged

Core functionality is delegated to a separate MCP service that is not included in the reviewed artifacts. The skill does not auto-install or run it, but users need to trust that external component.

Skill content
Requires xiaohongshu-mcp service running.
Recommendation

Install xiaohongshu-mcp only from a trusted source and review its permissions, session handling, and network behavior separately.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Research topics and returned Xiaohongshu metadata pass through the local MCP service.

Why it was flagged

The workflow sends research keywords to a local MCP/API service. This is expected for the skill's purpose, but the data boundary depends on that service.

Skill content
curl -s -X POST "http://localhost:18060/api/v1/feeds/search" \
  -H "Content-Type: application/json" \
  -d '{"keyword": "露营"}'
Recommendation

Run the MCP service locally from a trusted source and avoid sending sensitive research topics if you do not trust the service.