ClawHub

小红书数据洞察与竞品分析助手

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Xiaohongshu data-analysis tool that calls its API provider and saves results locally, with privacy and reliability caveats but no evidence of malicious behavior.

Install only if you are comfortable sending Xiaohongshu keywords, profile/note URLs, and the GUAIKEI_API_TOKEN to the guaikei.com API service, and with returned data being saved locally under logs. Delete logs when they are no longer needed, avoid using sensitive research terms on shared machines, and fix or account for the post-cli.js output bug before relying on profile monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares and requires a sensitive environment variable (`GUAIKEI_API_TOKEN`) but the metadata does not appear to declare explicit permissions or clearly scope how that secret is used. This creates a transparency and governance gap: users may provide credentials to a skill without sufficient permission signaling, review hooks, or documentation about where the token is sent and how it is handled.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The CLI writes the full task output, including note details/comments and the queried URL, to a local JSON file by default. Persisting scraped platform data locally increases exposure through leftover artifacts, accidental sharing, weak filesystem permissions, or collection by other local processes, especially if comments or metadata contain personal or sensitive information.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The CLI builds the success output with `results: detailTask`, but the fetched data is stored in `postTask`. Because `detailTask` is undefined, the tool will either throw a runtime error or fail to return the retrieved task data, causing integrity and availability issues in a security-relevant data pipeline. In this skill context, the bug is more dangerous because users rely on the tool for operational analysis and may trust empty or failed output as authoritative.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill states that collected task results are automatically written to a local `logs/` directory, but this persistence behavior is not prominently disclosed before use. Because the tool processes URLs, keywords, note details, and comments, silent local retention can expose sensitive business research, collected third-party content, or operational data to other local users, backups, or later exfiltration.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The tool writes result data derived from the target profile URL to a local JSON file without obtaining explicit user consent or giving a clear warning. This can expose scraped profile data and query targets to other local users, backups, or log collectors, which is a privacy and data-handling risk even if the source data is public. The skill context makes this somewhat more sensitive because it is explicitly used for competitor analysis and creator profiling at scale.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The CLI writes full search results to a persistent local file without clear user-facing notice or consent in the normal execution flow. Because this tool processes potentially sensitive competitive-research queries and result sets, silent persistence can expose business intelligence or user activity to other local users, backups, or downstream tooling that scans the filesystem.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal