xiaohongshu-mcp-skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent, but it should be reviewed carefully because it uses a downloaded local MCP service and stored Xiaohongshu cookies to publish and interact from your account, including batch actions, without clear approval or access safeguards.
Install only if you are comfortable granting a local downloaded MCP service access to your Xiaohongshu account. Verify the upstream binary, protect cookies.json, keep the service private to your machine, stop it when finished, and require explicit confirmation before any posting, commenting, liking, favoriting, or batch operation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could perform bulk engagement or comments from the user's Xiaohongshu account, affecting reputation, account standing, or public visibility.
The documented workflow encourages iterating through feed/search results to like, favorite, or comment from the user's account, but the artifacts do not require explicit confirmation, target review, or limits for these account-mutating actions.
### 4. 批量互动 1. list_feeds() 或 search_feeds() 获取笔记列表 2. 遍历结果调用 like_feed / favorite_feed / post_comment_to_feed
Require explicit user approval before every publish, comment, reply, like, favorite, or bulk action; show the exact target and content; and set clear limits for batch operations.
Anyone or anything that can access the cookie-backed service or cookie file may be able to act as the user's Xiaohongshu account.
The skill relies on a persistent logged-in Xiaohongshu session stored as cookies.json, which grants ongoing account authority, while the registry declares no primary credential and the docs do not bound access to the cookie file.
- 浏览器弹出后扫码或手机号登录 - 登录成功后 `cookies.json` 保存在当前目录 - 后续无需重复登录(除非 cookies 过期)
Store cookies in a protected directory, document the credential requirement in metadata, restrict file permissions, and use a dedicated account if possible.
A compromised or unexpected release binary could gain access to the user's local environment and Xiaohongshu session.
The deployment path depends on downloading and running prebuilt external binaries, but the artifacts provide no pinned version, checksum, signature verification, or bundled source/code for this review.
gh release download --repo xpzouying/xiaohongshu-mcp \ --pattern "xiaohongshu-mcp-darwin-arm64.tar.gz" --dir /tmp ... 解压后包含两个可执行文件
Pin a specific release, verify checksums or signatures, prefer reproducible/source builds, and review the upstream project before running the binaries.
Other local processes or MCP clients may be able to call the service if they can reach the localhost endpoint.
The logged-in account operations are exposed through a local HTTP MCP endpoint, but the artifacts do not describe client authentication, origin controls, or permission boundaries between local clients.
服务监听: `http://localhost:18060/mcp` ... claude mcp add --transport http xiaohongshu-mcp http://localhost:18060/mcp
Bind only to localhost, add an access token or client allowlist if supported, avoid exposing the port, and stop the service when not in use.
The Xiaohongshu-capable local service may remain active until manually stopped.
The service is intentionally started as a background process and can continue running after the initial task, though the documentation also provides stop commands.
nohup ./bin/xiaohongshu-mcp-darwin-arm64 > mcp.log 2>&1 & echo $! > mcp.pid
Start the service only when needed, monitor the PID/logs, and stop it after use with the documented kill command.