Back to skill
Skillv4.0.4
VirusTotal security
Xhs Auto Reply · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:20 AM
- Hash
- ebae44ce95edfb908dca0f0c81f3f5667b59fde3c7e6df724170818b3344882b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xhs-auto-reply Version: 4.0.4 The skill bundle facilitates Xiaohongshu (XHS) automation but introduces significant supply chain and credential risks. SKILL.md instructs the agent to download and execute a pre-compiled binary from a third-party GitHub repository (xpzouying/xiaohongshu-mcp) and perform system-level installations (apt install, Xvfb). The main script xhs_reply.py collects and stores sensitive API keys for Notion and multiple LLM providers in plain-text local JSON files (.model_config.json, .notion_config.json). While the logic aligns with the stated purpose of auto-replying to comments, the combination of external binary execution and unencrypted credential storage poses a high security risk.
- External report
- View on VirusTotal