Skillv1.4.5

ClawScan security

Xhs Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 5:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions largely match a Xiaohongshu auto‑publish tool, but there are mismatches and risky behaviors (undeclared credentials, system/service operations, file paths under /root) that warrant manual review before installing.
Guidance: What to check before installing: - Source trust: the package has no homepage and an unknown owner; prefer skills from known repositories. If you don't trust the author, don't install. - Credentials: the metadata says 'no env vars' but scripts require many API keys and secret keys (Gemini/OpenAI/Tencent/MD2Card/XHS AI). Only set credentials you control and understand; never paste high‑privilege keys without auditing code. - Audit the code: review scripts (cover.sh, generate.sh, check_env.sh) for any unexpected network endpoints or file reads. Pay attention to places where user input could be used to read arbitrary local files (the __USER_IMAGE__ path mode uses a provided path). - Sandbox/least privilege: run the skill in an isolated VM/container and avoid running as root. If you must run on a host, restrict network access and API keys to minimal scopes. - MCP binary: README suggests downloading a third‑party MCP binary from GitHub; verify the release URL, checksum, and author before running executables. - System actions: scripts attempt to start system services (Xvfb, xhs-mcp) and write to ~/xiaohongshu-mcp and /root/.openclaw/media — decide whether you want a skill that manipulates services and these paths. - If unsure: treat as suspicious. Request the author's identity, full provenance (homepage, source repo), or run a manual code review and test in a safe environment before trusting with real API keys or persistent deployment.
Findings: [base64-block] expected: Base64 blocks appear in documentation (embedded font in flow.svg) and in scripts that extract base64 images from image-generation APIs — both uses are expected for this skill's asset generation and docs.

Review Dimensions

Purpose & Capability: concernName/description (小红书一键发布) align with the included scripts (cover.sh, generate.sh, check_env.sh) that generate assets and call an MCP to publish. However the skill metadata declares no required environment variables while the scripts clearly expect many API keys and secrets (GEMINI_API_KEY, IMG_API_KEY, HUNYUAN_SECRET_ID/KEY, MD2CARD_API_KEY, XHS_AI_API_KEY, etc.). That mismatch is unexplained and disproportionate.
Instruction Scope: concernSKILL.md and scripts instruct the agent to: generate titles/content/images, call external image/AI APIs, start or check system services (Xvfb, xhs-mcp via systemctl or manual spawn), copy files into /root/.openclaw/media/inbound and use a local MCP service. Instructions reference system paths, systemctl and spawning background services — actions beyond mere text generation and that affect host state. The SKILL.md also prescribes strict Feishu media handling rules and automatic keyword replacement, which is platform-specific but plausible.
Install Mechanism: noteNo formal install spec is provided (instruction-only), which reduces explicit installer risk, but README suggests downloading a third‑party MCP binary from a GitHub releases URL. The code will write to ~/xiaohongshu-mcp, /tmp and /root/.openclaw/media; scripts create and execute helper Python snippets. No use of obscure shorteners was found; content embedding (e.g., base64 font in flow.svg) is present but typical for documentation assets.
Credentials: concernDeclared 'Required env vars: none' is inconsistent with multiple environment variables referenced across scripts and check_env.sh (GEMINI_API_KEY, IMG_API_KEY, HUNYUAN_SECRET_ID/KEY, DOUBAO_API_KEY, MD2CARD_API_KEY, XHS_AI_API_KEY, XHS_AI_API_URL, etc.). Those are sensitive credentials (API keys/secret keys). The skill's primary function (generate/publish content) does justify some API keys, but the omission from metadata and the breadth of keys requested (multiple providers and cloud secrets) is disproportionate without clearer justification.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable. However its scripts attempt to start/check system services (systemctl start xvfb, start/launch xiaohongshu-mcp), create ~/xiaohongshu-mcp, and instruct use of /root/.openclaw/media/inbound. Those behaviors require the runtime to allow process spawning and filesystem writes in user/home (and references /root). This is more than ephemeral processing but not automatically permanent; still review required.