Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
xhsmander
v1.0.0小红书自动化发布技能。通过 Docker 容器中的 xiaohongshu-mcp 服务,实现登录、发布图文、搜索、互动等操作。 当用户提到发小红书、发笔记、发布内容、扫码登录小红书、小红书自动化、小红书发布时使用此技能。
⭐ 0· 0·0 current·0 all-time
byxiaohuozi@279458179
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included Python scripts: they talk to a local xiaohongshu-mcp HTTP JSON-RPC endpoint to obtain QR codes, check login, search, like, and publish. Nothing in the code asks for unrelated credentials or system access. However, the SKILL.md references a docker-compose.yml and an xiaohongshu-mcp image (阿里云镜像) but no compose file or image source is included in the package—the skill assumes an external Docker image is already present which is not provided or verified.
Instruction Scope
Runtime instructions and scripts limit actions to the local MCP service (http://localhost:18060/mcp) and to files under the skill workspace (scripts/images). The agent will save QR images and write files in its workspace. The described behavior (getting QR code, prompting user to scan, then publishing content) is within scope, but it does include workflows that can publish posts and interact with user accounts — a high-impact capability that should be used consciously.
Install Mechanism
No install spec is provided (instruction-only), which is low-risk normally, but the skill requires a specific Docker container (xiaohongshu-mcp) and references docker-compose configuration that is not included. Because the skill depends on an external image whose source and integrity are unknown, this creates deployment ambiguity and supply-chain risk.
Credentials
The skill declares no environment variables or secrets and the code does not read extra environment variables. The API requires session IDs and may surface xsec_token values from API responses; those are normal for the service and are obtained at runtime. There are no unexplained credential requests in the package.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. However, it can be invoked autonomously by the model (default) and implements publish/like/comment operations that act on the user's 小红书 account—so if the agent is allowed to call the skill without human confirmation it could post or interact on the user's behalf. This is expected functionality but a meaningful privilege.
Scan Findings in Context
[no_scan_findings] expected: Static scan reported no injection signals or suspicious patterns. The package is small and mostly performs local HTTP calls; absence of findings is consistent with the code but does not mitigate the external Docker image/source risk.
What to consider before installing
This skill talks to a local Docker service (xiaohongshu-mcp) to log in and publish to your 小红书 account; the included scripts are coherent and request no extra secrets. Before installing: (1) verify and obtain the Docker image from a trusted source and add or inspect a docker-compose.yml — the skill references one but none is included; (2) be aware the skill can publish, like, and comment on your behalf — only allow the agent to run it when you trust the model and confirm actions; (3) inspect the running container image and its Dockerfiles/entrypoint before putting your account cookies there; (4) avoid sending sensitive data to be published (the skill will post whatever content you give it). If you cannot verify the Docker image/source or do not want automatic posting capability, do not enable this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97dg5pme25tcjn5vphsc71fx184m79p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.