ClawHub

小红书自动化

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Xiaohongshu automation purpose, but it bundles sensitive session handling and network-exposed automation features that need review before installation.

Install only if you are comfortable giving the skill access to your Xiaohongshu session and letting it publish on your behalf. Keep the MCP server disabled or bound to localhost unless you deliberately secure it, protect ~/.openclaw/credentials/xhs_cookies.json and backups as live login credentials, and use preview or dry-run modes before any publishing workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (56)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd, check=True):
    """运行命令并返回结果"""
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=check)
        return result.returncode == 0, result.stdout, result.stderr
    except Exception as e:
        return False, "", str(e)
Confidence
95% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=check)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            if os.name == 'nt':  # Windows
                # 使用 where 命令检查
                result = subprocess.run(f"where {cmd}", shell=True, capture_output=True)
                if result.returncode == 0:
                    return True
            else:
Confidence
88% confidence
Finding
result = subprocess.run(f"where {cmd}", shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True
            else:
                # Unix 系统使用 which
                result = subprocess.run(f"which {cmd}", shell=True, capture_output=True)
                if result.returncode == 0:
                    return True
        except:
Confidence
88% confidence
Finding
result = subprocess.run(f"which {cmd}", shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
safe_print("🧹 清理ChromeDriver进程...")
            try:
                if os.name == 'nt':
                    subprocess.run(["taskkill", "/F", "/IM", "chromedriver.exe"], 
                                 capture_output=True)
                else:
                    subprocess.run(["pkill", "-f", "chromedriver"],
Confidence
84% confidence
Finding
subprocess.run(["taskkill", "/F", "/IM", "chromedriver.exe"], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["taskkill", "/F", "/IM", "chromedriver.exe"], 
                                 capture_output=True)
                else:
                    subprocess.run(["pkill", "-f", "chromedriver"], 
                                 capture_output=True)
            except:
                pass
Confidence
85% confidence
Finding
subprocess.run(["pkill", "-f", "chromedriver"], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
safe_print(f"🔍 找到MCP服务器进程: {pid}")
                try:
                    if os.name == 'nt':  # Windows
                        subprocess.run(["taskkill", "/F", "/PID", pid], check=True)
                    else:  # Unix-like
                        os.kill(int(pid), signal.SIGTERM)
                        time.sleep(2)
Confidence
83% confidence
Finding
subprocess.run(["taskkill", "/F", "/PID", pid], check=True)

Tainted flow: 'target_path' from os.environ.get (line 80, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
if cm_cookies_path.resolve() != target_path.resolve() and cm_cookies_path.exists():
                target_path.parent.mkdir(parents=True, exist_ok=True)
                import shutil
                shutil.copy2(cm_cookies_path, target_path)

            print(json.dumps({
                "status": "success",
Confidence
84% confidence
Finding
shutil.copy2(cm_cookies_path, target_path)

Tainted flow: 'cmd' from os.environ.get (line 117, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
cmd = ["uv", "run", "--project", toolkit_dir, str(script_path)] + args

    result = subprocess.run(
        cmd,
        capture_output=True,
        text=True,
Confidence
88% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=600, env=os.environ.copy(), )

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README makes a broad security claim that all data is stored only locally, but the same document explicitly describes downloading remote images and connecting to remote browser/network services. That discrepancy can mislead users into underestimating network exposure, authenticated session leakage, and third-party data handling risks.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document claims the failure was fixed by switching to JavaScript-driven realistic input events, but the primary implementation still uses Selenium send_keys directly. In a skill that automates posting actions on a live platform, this mismatch can cause the agent to execute unreliable or unintended automation flows while operators believe the method is verified and safe.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The text repeatedly asserts 100% success and complete repair, yet the included code does not implement the stated fix. Overstated verification can mislead an agent or operator into trusting brittle automation for login/posting workflows, increasing the chance of failures, account actions, or unsafe follow-on logic based on false assumptions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The function claims to validate cookie validity but uses intentionally relaxed rules that may accept incomplete or stale authentication state as valid. In this skill, cookies gate authenticated creator-center actions, so false positives can cause the agent to proceed with privileged operations under invalid session assumptions, leading to misexecution, account-state confusion, or unsafe fallback login behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manual command handler exposes backup and restore operations that go beyond the skill metadata's stated scope of login, posting, trending scraping, and AI content generation. Backup/restore features can access or reintroduce sensitive local state such as cookies or persisted session data, expanding the attack surface and enabling misuse if an operator or downstream agent invokes them unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code forces a persistent Chrome user-data directory under a fixed path, explicitly preserving login state, cookies, and browser fingerprint across runs. In an agent skill context, this can unintentionally retain sensitive session material between tasks, users, or environments, increasing the risk of account takeover, cross-task data leakage, or unauthorized reuse of an authenticated session.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code can connect to an arbitrary remote WebDriver endpoint derived from configuration, expanding the trust boundary beyond the local host. If an attacker can influence that configuration or the remote endpoint is untrusted, browser activity, authenticated sessions, page contents, and automation commands may be exposed to or controlled by another system.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The server exposes creator analytics data beyond the narrowly stated automation purpose, increasing data exposure and privacy risk. In this skill context, the capability is more dangerous because it handles authenticated account data and returns potentially sensitive performance and audience information to MCP clients without clear scope restriction.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file adds backup and restore capabilities for cookies and configuration that are not part of the declared skill purpose of running XHS automation via exec-run scripts. Scope expansion is security-relevant here because it introduces credential persistence and restore functionality, increasing the attack surface and enabling unauthorized reuse of authenticated sessions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The backup_data function exports authentication cookies to a JSON file on disk, creating a portable copy of live session credentials. Anyone who obtains the backup archive can potentially import those cookies and hijack the associated Xiaohongshu session without needing the original login factors.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The restore_backup function imports cookies from an arbitrary user-supplied directory and writes them into the active cookie store, enabling session injection. This can be abused to silently switch identities, reuse stolen credentials, or load attacker-controlled session material into the tool.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The client implements authenticated creator analytics and detailed account/fan/content data collection that goes beyond the skill metadata's described login/publish/hot-topic/AI-generation workflow. This capability expansion is dangerous because users or downstream agents may invoke broader account surveillance and data extraction functions than they were led to expect, increasing privacy and authorization risk.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The entrypoint exposes additional capabilities beyond the manifest description, including configuration display and generation, status inspection, and server/process management. In agent ecosystems, these hidden or under-declared capabilities increase the risk that a caller invokes privileged local operations without understanding the full security impact.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This section implements process discovery, termination, and ChromeDriver cleanup that are not reflected in the advertised skill purpose. Undisclosed host-management features are dangerous in an automation skill because they expand the trust boundary from app automation into local system control.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The server start command binds an MCP server to a caller-provided host, defaulting to `0.0.0.0`, which exposes the service on all interfaces. In a skill intended for Xiaohongshu automation, opening a network service is a significant expansion of attack surface and may unintentionally expose sensitive automation functions remotely.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises fully automated publishing and one-command end-to-end posting without clearly warning that this causes real external actions on a live Xiaohongshu account. In an agent skill context, that increases the chance of unintended posts, spam, or account-impacting actions if the user misunderstands the command or the agent triggers it too eagerly.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README promotes AI copywriting and image generation through third-party providers but does not warn users that prompts, generated content, and possibly account-related context may be transmitted to external APIs. This can lead to unintentional disclosure of sensitive business data, personal information, or unpublished campaign material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal