v1.0.3

Xiaohongshu Search Summarizer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:44 AM.

Analysis

The skill mostly does what it claims, but it runs local browser automation and has an unsafe filename construction that can write outside the requested output folder if the search keyword contains path characters.

GuidanceReview before installing. If you use it, choose a safe output directory, avoid keywords containing slashes or '..', and remember that the skill will run a local browser scraper, download images, and may use your logged-in Xiaohongshu session if you authenticate manually.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/parse.py

md_filename = f"{keyword.replace(' ', '_')}_raw_data.md"
md_path = os.path.join(output_dir, md_filename)
...
with open(md_path, 'w', encoding='utf-8') as f:

The keyword is used as part of a filesystem path without rejecting '/', absolute paths, or '..'. A crafted or accidental keyword can cause the Markdown output to be written outside the intended output directory.

User impactA search term containing path characters could create or overwrite a local Markdown file in an unexpected location.

RecommendationSanitize the keyword into a safe basename, reject path separators and '..', resolve the final path, and verify it remains inside the chosen output directory before writing.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/run.sh

playwright-cli run-code "$(< "$SCRIPT_PATH")" > "$OUTPUT_DIR/xhs_data.json"
python3 "$(dirname "$0")/parse.py" "$KEYWORD" "$OUTPUT_DIR/xhs_data.json" "$OUTPUT_DIR"

The skill executes generated Playwright JavaScript and a Python parser locally. This is central to the stated browser-scraping purpose, but it is still local code execution that users should knowingly approve.

User impactRunning the skill opens and controls a browser, scrapes page content, downloads images, and writes files on the local machine.

RecommendationOnly run it from a reviewed skill directory, keep dependencies installed from trusted sources, and choose a dedicated output folder.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

SKILL.md

compatibility: Requires playwright-cli and python3, and the Python 'requests' package installed.

The skill depends on local external tools and a Python package, while the registry metadata lists no required binaries or install spec. The dependency need is disclosed in SKILL.md, but not fully captured by metadata.

User impactInstallation may require manual dependency setup, and the safety of execution depends partly on the user's local playwright-cli, python3, and requests installations.

RecommendationInstall dependencies from trusted package sources and update the skill metadata/install spec to declare these requirements clearly.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Xiaohongshu may demand a login challenge. If the site pauses waiting for a login, instruct the user to verify the `playwright-cli` browser window and perform necessary authentication manually

The skill may operate in an authenticated Xiaohongshu browser session if the user logs in manually. The artifacts do not show credential theft, but authenticated access expands what the scraper may see.

User impactThe scraper may access content visible to the logged-in Xiaohongshu account, and its activity may be associated with that account.

RecommendationLog in only if comfortable, consider using a separate browser/profile or account, and log out after use if needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

extracts the top N posts (including texts, images, and user comments) ... You MUST use your file reading / vision capabilities on these image file paths

The skill intentionally brings untrusted social-media text, comments, and images into the agent's context for synthesis. This is expected for summarization, but such content can contain prompt-injection-like instructions.

User impactMalicious or misleading text inside posts, comments, or images could try to influence the agent's behavior if it is not treated strictly as source data.

RecommendationTreat scraped posts, comments, and images as untrusted content; summarize them, but do not follow instructions embedded in them or reveal unrelated private information.