Back to skill
Skillv1.4.5
VirusTotal security
Xhs Publish · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 6:17 AM
- Hash
- 07f14a904c8a835a31291789e02f18490c115ec63dfe787543a3b091de3e2173
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xhs-publish Version: 1.4.5 The skill bundle provides extensive automation for Xiaohongshu posting but contains several high-risk security indicators. Most critically, SKILL.md contains a hardcoded, functional 'DOUBAO_API_KEY' (919ec537-6d4d-43c4-a5ce-a90a17673bbb), which is a major credential leak. The instructions in SKILL.md also include 'Content Taboos' that explicitly direct the AI agent to use prompt injection techniques to hide its automated nature and the tool's identity to evade platform detection. Additionally, the installation scripts (check_env.sh) and documentation encourage downloading and executing external binaries from GitHub (xpzouying/xiaohongshu-mcp) and managing sensitive session cookies locally. While these features support the stated purpose, the combination of hardcoded secrets, platform-evasion instructions, and external binary execution makes the bundle highly risky.
- External report
- View on VirusTotal