ClawHub

小红书自动发布工具包 (Xiaohongshu Publish Kit)

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Xiaohongshu publishing tool, but it needs Review because it can post automatically, preserve login sessions, and run unsafe shell-built commands.

Review carefully before installing. Use a dedicated OpenClaw browser profile and preferably a test or low-risk Xiaohongshu account, avoid cron/daemon keepalive unless you explicitly need unattended operation, do not pass untrusted titles/content/paths, and add a manual preview or confirmation step before any post goes live.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = f"python3 {cover_script} --title '{title}' --date '{date_str}' --output '{output_path}'"
    
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    
    if result.returncode == 0:
        print(f"✅ 封面生成成功: {output_path}")
Confidence
97% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = f"python3 {publish_script} --title '{title}' --content '{content}' --image '{cover_path}'"
    
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    
    if result.returncode == 0:
        print("✅ 小红书发布成功!")
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
time.sleep(3)
        
        cmd = f"browser --browser-profile openclaw screenshot --full-page --output {output_path}"
        result = subprocess.run(cmd, shell=True, capture_output=True)
        
        if result.returncode == 0:
            print(f"封面图片生成: {output_path}")
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 替换 browser 为 openclaw browser
        if cmd.startswith("browser "):
            cmd = cmd.replace("browser ", "openclaw browser ", 1)
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        return result.returncode == 0, result.stdout.strip()
    except Exception as e:
        return False, str(e)
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 替换 browser 为 openclaw browser
        if cmd.startswith("browser "):
            cmd = cmd.replace("browser ", "openclaw browser ", 1)
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        return result.returncode == 0, result.stdout.strip()
    except Exception as e:
        print(f"命令执行失败: {e}")
Confidence
97% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents shell commands and file-writing behavior (`mkdir`, running Python scripts, setup scripts) but does not declare corresponding permissions/capabilities. This creates a transparency and consent problem: a user or host system may underestimate what the skill can do, including modifying local files or invoking scripts that perform broader actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This script goes beyond simple login checking and performs backup and restoration of the full browser profile, which can include authentication cookies, tokens, browsing artifacts, and other sensitive state. In the context of a publishing toolkit, preserving a privileged social-media session materially increases the chance of account takeover or misuse if local storage is accessed by another process or user.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script restores browser session state from `/tmp/xiaohongshu_session_backup` into the active OpenClaw profile, replacing current user-data. That enables persistent credential/session reuse and can import a stale or attacker-planted authenticated session, which is more sensitive than ordinary publishing automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes automated publishing to a live Xiaohongshu account and provides an example of running the full publishing pipeline, but it does not clearly warn that actions will be performed against a real authenticated account. In an agent-skill context, this increases the risk of unattended posting, accidental spam, account sanctions, and unintended disclosure if the skill is invoked automatically or with unreviewed content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cron job example normalizes recurring unattended publication from a logged-in account without a prominent warning about repeated real-world actions. In practice, scheduled posting can amplify mistakes, publish low-quality or policy-violating content at scale, and trigger platform abuse detection or account penalties before a user notices.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables automated posting to an external account and platform, including browser automation that fills content and clicks the publish button, but it does not provide a prominent warning that it will submit content under the user's account. That omission can lead to unintended account actions, accidental publication, or reputational harm if the workflow is triggered without explicit user understanding and approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script will immediately invoke the publishing workflow with whatever arguments were supplied, causing a real post action without an explicit confirmation, dry-run, or safety interstitial. In a skill whose purpose is automated Xiaohongshu publishing, this increases the chance of accidental unauthorized posting, misuse by chained automation, or unintended publication of sensitive or malformed content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The backup routine copies the browser user-data directory to /tmp, a location commonly used for transient shared local storage and often less rigorously protected than dedicated app state directories. Browser profile data can contain active session cookies and local auth artifacts, so placing it there creates a realistic path for local theft of a logged-in Xiaohongshu creator account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The restore path deletes the existing browser profile before replacing it from backup, which is a destructive operation that can erase current state and force rollback to older credentials or settings. Without validation, confirmation, or integrity checking of the backup source, this can corrupt the profile, overwrite legitimate session data, or restore compromised session material.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs the final publish action automatically once inputs are provided, with no confirmation prompt, dry-run mode, or last-minute review. In an automation skill that can control a logged-in social-media account, this increases the chance of unintended or abusive posting if the tool is misused or triggered with bad content.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The session-recovery path silently stops the browser, deletes the current profile directory, and replaces it from backup without a clear user-facing warning or confirmation. This is risky because it alters sensitive browser state and may overwrite legitimate sessions or inject another account's authenticated context.

Session Persistence

Medium
Category
Rogue Agent
Content
browser --browser-profile openclaw start

# 创建图片上传目录
mkdir -p /tmp/openclaw/uploads
```

### 2. 登录小红书创作平台
Confidence
80% confidence
Finding
mkdir -p /tmp/openclaw/uploads ``` ### 2. 登录小红书创作平台 首次使用需要手动登录一次: ```bash browser --browser-profile openclaw navigate https://creator.xiaohongshu.com ``` 手动扫码登录后,可设置自动保活: ```bash # 设置登录保活(推荐) ./s

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal