Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
zion-xhs-catch-skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This scraper largely matches its stated purpose, but it controls a logged-in browser, advertises anti-detection scraping, and includes under-disclosed credential/cloud-sync behavior.
Install only if you are comfortable letting the skill operate a logged-in Xiaohongshu browser. Do not use it to bypass platform rules, protect or delete any cookies.json file, review npm dependencies before running npm install, and do not run the Zion sync script unless you intend to use a verified least-privilege Zion credential.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Using this may violate Xiaohongshu rules, trigger account restrictions, or let automation act through your real browser session.
Why it was flagged
The skill explicitly promotes using an authenticated real browser to avoid captcha/risk-control handling while performing automated collection.
Skill content
**核心优势**:直接使用已登录的浏览器,无需 Cookie 管理、无需处理验证码、天然绕过风控检测。
Recommendation
Use only where you have permission, keep collection limits low, and avoid using the skill specifically to bypass platform anti-automation controls.
What this means
If run, the skill can use high-privilege Zion credentials to insert or update cloud data and transmit scraped content to the configured Zion endpoint.
Why it was flagged
The included sync script reads a local Zion admin token and uses it as a Bearer credential for GraphQL writes, while the registry metadata declares no primary credential or required config path.
Skill content
const zionCredPath = path.resolve(process.cwd(), '.zion', 'credentials.yaml'); ... const token = cred.admin_token?.token; ... Authorization: `Bearer ${cfg.token}`Recommendation
Do not run sync.ts unless you intend to use Zion; use a least-privilege token, verify the endpoint/table name, and require explicit confirmation before cloud writes.
What this means
Anyone who obtains cookies.json may be able to reuse or inspect your Xiaohongshu session.
Why it was flagged
The optional login helper stores Xiaohongshu browser cookies locally, which is sensitive session material even though no exfiltration is shown.
Skill content
const COOKIE_FILE = path.resolve(process.cwd(), 'cookies.json'); ... const cookies = await context.cookies(); fs.writeFileSync(COOKIE_FILE, JSON.stringify(cookies, null, 2));
Recommendation
Avoid running the legacy login helper unless needed; protect cookies.json, do not commit or share it, and delete it when finished.
What this means
Opening the generated report could run injected scripts or load unexpected resources if scraped content contains malicious markup.
Why it was flagged
Scraped titles/content are inserted into generated HTML via innerHTML without visible escaping, so untrusted page content could become executable HTML/JavaScript in the local report.
Skill content
container.innerHTML = data.map((item, idx) => `... <div class="card-title">${item.title || '无标题'}</div> ... <div class="card-text">${item.content || ''}</div> ...`)Recommendation
Escape all scraped fields before HTML insertion or render them with textContent/DOM APIs; treat generated reports as untrusted until fixed.
What this means
Running the skill executes local shell commands and depends on the integrity of the local WebBridge binary/service.
Why it was flagged
The script uses shell execution to send commands to a fixed localhost WebBridge endpoint; this is purpose-aligned, and the shown command does not interpolate the search keyword directly into the shell.
Skill content
const res = execSync(`curl -s -X POST ${WEBBRIDGE_URL} -H 'Content-Type: application/json' -d @${tmpFile}`, { encoding: 'utf-8', timeout: 60000 });Recommendation
Run it only from a trusted checkout and with a trusted WebBridge installation.
What this means
A malicious or misconfigured local MCP/WebBridge service could observe browser data or cause unintended browser actions.
Why it was flagged
The MCP mode talks to a local browser-control service and invokes an unsafe browser code tool; the trust boundary depends on the external local MCP service configuration.
Skill content
const MCP_ENDPOINT = process.env.MCP_ENDPOINT || 'http://localhost:8931'; ... return this.call('tools/call', { name, arguments: args }); ... browser_run_code_unsafeRecommendation
Connect only to trusted local browser-control services, use authentication tokens where available, and stop the service after use.