Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
XhsSkills
v1.0.3Use this skill when you need to call the vendored Xiaohongshu/XHS APIs from Spider_XHS for PC web data or creator-platform publishing data. This skill only w...
⭐ 0· 17·0 current·0 all-time
byCheng Zhen@cv-cat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description say it wraps Spider_XHS PC and creator APIs; the repository includes xhs_pc_apis.py, xhs_creator_apis.py, JS signers, and a CLI tool that match that purpose. Required dependencies (jsdom, crypto-js, requests, opencv) are consistent with the code (JS signers and image/video handling).
Instruction Scope
SKILL.md instructs running pip/npm and calling the bundled CLI with cookies and file paths. That's expected, but the vendored JS signer code sets up a dynamic chunk loader whose base path points to XHS CDN domains (e.g., //fe-static.xhscdn.com and backups). That means, when the bundled JS runs, it may attempt to fetch additional code from external CDNs at runtime — this is not mentioned in SKILL.md and increases the risk that remote code could be executed. The skill also requires users to provide sensitive session cookies (cookies_str) to call the APIs; the instructions read local files when uploading media (expected) but do not appear to try to harvest other local credentials.
Install Mechanism
There is no formal install spec (instruction-only), and SKILL.md tells users to run pip install -r requirements.txt and npm install. Those package sources are standard (PyPI/npm). However, the bundled JS runtime contains a dynamic loader (c.p) that can request chunks from remote CDNs at runtime; even if npm install is local, runtime network fetches could pull code from the vendor CDN, which raises higher risk than a purely local vendored library.
Credentials
The skill does not request environment variables or credentials itself. It expects callers to pass XHS cookies (cookies_str) and file paths for media — this is proportional to the stated functionality (the APIs need session cookies). Nevertheless, cookies are sensitive session tokens: only provide them to code you trust (and preferably use a throwaway/test account).
Persistence & Privilege
The skill does not request always:true and is user-invocable; there is no evidence it modifies other skills or system-wide agent settings. Autonomous invocation is allowed by default but not exceptional here.
Scan Findings in Context
[base64-block] unexpected: A base64-block pattern was detected in SKILL.md content scan. The skill is primarily code-heavy; base64 blocks or large embedded blobs could indicate obfuscated content. Given the included source files, this could be part of bundled JS chunks, but its presence in SKILL.md is unexpected and worth manual review.
[unicode-control-chars] unexpected: Unicode control characters were flagged in SKILL.md. These are commonly used by prompt-injection techniques (to obscure or manipulate text boundaries). They are not needed for normal runtime instructions and should be inspected to verify they are not trying to manipulate downstream evaluation or execution contexts.
What to consider before installing
This skill appears to be what it says — a vendored Spider_XHS wrapper — but there are two things you should consider before installing or running it:
1) Sensitive cookies: The CLI and APIs require you to supply cookies_str (web_session, a1, etc.). Those are session tokens that can fully authenticate your account. Only provide them if you trust the code and preferably test with a throwaway account.
2) Remote code fetch risk: The bundled JavaScript signer contains a dynamic loader configured to fetch chunks from XHS CDNs at runtime. If the local bundle does not include every required chunk, the runtime may download and execute code from external domains. If you need strong assurance, either (a) inspect the static/ directory to confirm all chunks referenced by the loader are present locally, (b) run the skill in an isolated sandbox/network-restricted environment, or (c) disallow network access for the Node process and ensure the signer still works offline.
Practical steps:
- Review the large JS files (static/) yourself or with a developer to verify there are no unexpected remote URLs or obfuscated payloads.
- If you must run it, run npm install and the CLI in a contained VM or container and avoid using real account cookies; use a test account instead.
- Consider asking the publisher for a signed, fully-offline runtime (all chunks bundled and no external c.p fallback) if you need production use.
Finally, the SKILL.md triggered prompt-injection heuristics (base64/unicode control chars). That may be a false positive given the large vendored code, but it merits a manual glance at SKILL.md and the static JS to ensure nothing is trying to manipulate prompts or hide content.scripts/runtime/spider_xhs_core/static/xhs_creator_sign.js:190
Dynamic code execution detected.
scripts/runtime/spider_xhs_core/static/xhs_xray_pack2.js:3443
Dynamic code execution detected.
scripts/runtime/spider_xhs_core/static/xhs_xray.js:207
Dynamic code execution detected.
scripts/runtime/spider_xhs_core/static/xhs_xray_pack1.js:35836
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972z0vv75dynzbn45rgk0n3p984m4ft
License
MIT-0
Free to use, modify, and redistribute. No attribution required.