ClawHub

Toutiao Mcp

Security checks across malware telemetry and agentic risk

Overview

The skill’s purpose is clear, but it can use a saved Toutiao login to publish public content, including batches, through external code without a documented final confirmation step.

Review before installing. Use this only if you trust the external toutiao-mcp server, preferably with a dedicated Toutiao account. Protect or regularly clear the cookie file, require explicit preview and confirmation before every article, micro-post, or batch publish, and be careful with remote image URLs and download directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The FAQ makes a strong trust claim that all communication is limited to Toutiao official websites, yet elsewhere documents publishing Xiaohongshu-formatted content and use of external image URLs. Misrepresenting network behavior or data flows can cause users to overtrust the skill and may hide third-party requests, external content fetching, or cross-platform data handling they did not consent to.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include broad natural-language terms such as publishing to Toutiao that can plausibly appear in ordinary user conversation, increasing the chance the skill is invoked when the user did not explicitly intend to authorize account actions. In this skill, accidental invocation is more dangerous because the documented tools can log into an account, publish content, read local files for images, and perform batch operations against a live platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents batch publishing from Xiaohongshu data with automatic image downloading and use of local download directories, but the warning language does not clearly foreground the security implications of fetching remote URLs and writing files locally. This creates risk of SSRF-like outbound retrieval to attacker-controlled hosts, unsafe handling of untrusted content, disk consumption, and unexpected local file persistence during automated runs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start encourages publishing articles and posts to 今日头条 as a normal setup step, but it does not clearly warn that the content will be transmitted to a third-party platform and may become a live public post under the user's account. In an agent-driven workflow, this omission increases the risk of users unintentionally disclosing sensitive, draft, or test data and causing unauthorized public actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guide instructs users to delete a cookie file to recover from login issues, but it does so without any warning that this removes persisted session state and may force re-authentication or cause accidental loss of locally stored auth data. While the command targets a specific file rather than using a broad wildcard, troubleshooting documentation should clearly label destructive steps and advise verification before deletion.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal