ClawHub

Xiaohongshu Mcp Node

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Xiaohongshu automation integration, but it needs Review because it can control a real social account, stores reusable login cookies, and recommends an unsafe remote installer.

Install only if you are comfortable giving an external MCP server and browser automation access to a logged-in Xiaohongshu account. Avoid the `curl | bash` installer unless you inspect and pin it first, protect `cookies.json` with restrictive permissions, and require manual confirmation before any publish, comment, like, favorite, or visibility-changing action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The FAQ states that cookies are only stored locally and never uploaded to any server, but using the skill to authenticate and operate on Xiaohongshu necessarily transmits those cookies to Xiaohongshu during browser automation or HTTP requests. This is a misleading security/privacy claim that can cause users to underestimate credential exposure and make unsafe trust decisions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document promises that all operations occur locally and nothing is uploaded to third-party servers, yet the core functionality explicitly includes search, publishing, and interactions on Xiaohongshu, all of which require network communication with external services. This contradiction is security-relevant because it misrepresents the system's data flows and may invalidate user consent and privacy expectations.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill documents publishing, commenting, liking, and favoriting actions against a real social-media account without requiring an explicit confirmation step or warning that these actions are public and may be irreversible. In an agent setting, this increases the risk of unintended account actions, accidental spam, reputational harm, or policy violations if the agent acts on ambiguous user requests.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The FAQ documents the cookie file path and environment override but does not clearly warn that the file contains reusable authentication material. In a skill that automates account actions, insufficient guidance around credential storage increases the risk of accidental disclosure, insecure placement, or unsafe sharing of the cookie file.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The quick-start recommends executing a remotely fetched shell script directly via `curl ... | bash`, which allows arbitrary code from the remote source to run immediately on the user's system without review or integrity verification. In a setup guide, marking this as the recommended path increases the chance users will execute untrusted code blindly, and a compromised repository, account, or network path could lead to full host compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation presents publish, like, and comment commands without clearly warning that they perform real actions on the user's Xiaohongshu account. This can lead users or downstream agents to trigger posting and interactions unintentionally, causing account misuse, spam, reputation damage, or platform-policy violations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal