Skillv1.0.1

VirusTotal security

小红书自动化 · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 29, 2026, 4:22 AM

Hash: 52e3cc09dd0ab9654ec3f079cd2bfc672dc4e5647e37c04517c7f84877333829
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: openclaw-xhs Version: 1.0.1 The skill is classified as suspicious due to its extensive use of web automation (Selenium) with full browser control, including persistent profiles, and the capability to download files from arbitrary URLs. While these features are aligned with the stated purpose of Xiaohongshu automation (login, content generation, publishing, data scraping), they introduce inherent risks. Specifically, `scripts/xhs_trending.py` and `scripts/xhs_auth.py` (and the underlying `xhs-toolkit/src/core/browser.py`) launch Chrome, potentially in a non-headless mode for login, and interact with web pages. The `scripts/xhs_generate_content.py` leverages `src/utils/image_processor.py` to download images from user-provided or AI-generated URLs, which could be abused for large file downloads or to introduce malicious content if the image processing library had vulnerabilities. The installer also modifies `~/.openclaw/openclaw.json`, a sensitive configuration file, which, while intended, is a high-privilege action. No direct evidence of intentional malice (e.g., exfiltration of unrelated sensitive data, backdoor installation) was found, and the `SKILL.md` instructions do not contain prompt injection attempts.
External report: View on VirusTotal