ClawHub

小红书 MCP 服务

Security checks across malware telemetry and agentic risk

Overview

This XHS automation skill matches its stated purpose, but it ships account cookies and exposes posting, commenting, and engagement controls without enough containment.

Review carefully before installing. Remove the bundled cookies file, rotate any exposed XHS sessions, bind the MCP service to localhost or add authentication, and require explicit approval before publishing, commenting, replying, liking, favoriting, or uploading local media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill documents a default bind address of 0.0.0.0, which exposes the MCP service on all network interfaces instead of limiting it to localhost. For a local automation assistant handling authenticated XHS actions, this unnecessarily broadens the attack surface and could allow other machines on the network to access or abuse the service if additional controls are absent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains live Xiaohongshu authentication material, including account/session cookies and access tokens, embedded directly in the skill package. Anyone with access to the skill files can potentially replay these credentials to act as the account owner, which exceeds the declared automation-helper purpose and creates unauthorized account access risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The additional persistent authentication cookies and creator-session identifiers show the skill is bundled with a pre-authenticated account context. This gives the skill an embedded-account capability that could let operators or downstream users access, impersonate, or automate actions on that account without explicit consent from the end user.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The stop routine executes a broad OS-level kill command (`taskkill /F /IM node.exe /FI "WINDOWTITLE eq *xhs*"`) that can forcibly terminate Node.js processes beyond the intended MCP service. In the context of an XHS automation skill, process-killing is a privileged host capability unrelated to core business logic and creates avoidable denial-of-service risk on the user's machine.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code comments imply it stops only 'the service', but the implementation uses a broad `taskkill` filter that may match unrelated Node windows containing `xhs` in the title. This mismatch is dangerous because operators may believe the command is narrowly scoped when it actually has wider destructive effects, increasing the chance of accidental termination of legitimate processes.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger condition is very broad, covering nearly any mention of XHS/RED-related activity. Overbroad invocation can cause the agent to activate this skill in contexts the user did not intend, increasing the chance of unintended account actions or disclosure through an automation service with posting and interaction capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises tools that can publish content, like posts, favorite items, and comment using a logged-in account, but it does not require explicit user confirmation or present meaningful risk warnings. In the context of a social-media automation skill, missing safeguards around state-changing actions makes accidental or unauthorized account activity more likely.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
Hardcoded session/authentication cookie values expose a specific authenticated account context directly in source-distributed data. Because these are live bearer-style artifacts, an attacker or unintended recipient can often reuse them immediately for account takeover, data access, or unauthorized posting and account operations.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The presence of multiple hardcoded identity and session cookies ties the skill to a preselected authenticated account and environment. In the context of a social-media automation skill, this is especially dangerous because it can silently direct actions, content publishing, or data retrieval through someone else's account context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API documentation exposes a session-changing destructive action (`delete_cookies()`) without any warning that it will log the user out and remove persisted authentication state. In an agent skill context, undocumented destructive/session-reset operations are risky because an agent may invoke them without obtaining explicit user confirmation, causing account disruption or loss of workflow state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes public content publishing APIs, including uploading local image/video paths, without warning that user-provided text and local media files may be transmitted to the XHS platform and potentially made publicly visible. In an automation skill, this increases the chance of unintended disclosure of private content or accidental public posting if an agent acts on ambiguous user requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs forceful termination with `/F` and no warning, confirmation, or dry-run behavior. That makes accidental or automated invocation capable of immediately killing processes, which is especially risky in an agent skill that may be triggered indirectly as part of broader automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /message endpoint logs req.body verbatim, which can capture sensitive MCP payloads such as prompts, session data, tokens, cookies, or user-generated content. In this skill context, the service handles account automation for XiaoHongShu, so logged request bodies may include authentication material or private operational data that could later be exposed through log access, aggregation systems, or support workflows.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill exposes a destructive tool that deletes authentication cookies and resets login state without any confirmation, safeguard, or secondary check at the execution point. In an MCP context, tools may be invoked by agents or users with limited visibility into side effects, so a mistaken or prompted call can cause denial of service to the current authenticated session and force reauthentication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes a destructive session-management action that deletes authentication cookies immediately with no explicit confirmation, preview of scope, or user-awareness safeguard. In an agent setting, this can log a user out, disrupt active sessions, and be triggered by an ambiguous or malicious prompt, making it an unsafe side effect even though it is not directly data-exfiltrating.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This function submits a public comment on the user's behalf after only receiving content parameters, with no final consent check or out-of-band confirmation before the send button is clicked. In an automation skill for a social platform, unauthorized posting can damage reputation, violate platform policy, and be abused through prompt injection or accidental invocation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The reply function performs a user-account action that publishes content under the user's identity without an explicit approval step immediately before submission. Because replies are contextual and can target specific users/comments, accidental or manipulated execution can create harassment, impersonation, or reputational harm more easily than a read-only operation.

Missing User Warnings

High
Confidence
99% confidence
Finding
This publishing routine uploads media, fills content fields, and performs the final publish click automatically, causing irreversible public posting with no explicit user confirmation at the point of action. In the context of an XHS automation skill, this is especially dangerous because publishing can expose sensitive media, leak draft content, damage a brand/account, and create broad public impact far beyond a local side effect.

Missing User Warnings

High
Confidence
99% confidence
Finding
The video publishing function automates media upload and final submission without a clear confirmation barrier, enabling unintended public release of video content under the user's account. Video posts can carry higher privacy and reputational risk because the uploaded file may contain sensitive visuals/audio and is harder to review once an agent submits it automatically.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"url": "https://github.com/yourusername/xhs-mcp-service.git"
  },
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0",
    "express": "^4.18.2",
    "puppeteer": "^24.0.0",
    "qrcode": "^1.5.3",
Confidence
96% confidence
Finding
"@modelcontextprotocol/sdk": "^1.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0",
    "express": "^4.18.2",
    "puppeteer": "^24.0.0",
    "qrcode": "^1.5.3",
    "zod": "^3.22.0"
Confidence
91% confidence
Finding
"express": "^4.18.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0",
    "express": "^4.18.2",
    "puppeteer": "^24.0.0",
    "qrcode": "^1.5.3",
    "zod": "^3.22.0"
  },
Confidence
92% confidence
Finding
"puppeteer": "^24.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@modelcontextprotocol/sdk": "^1.0.0",
    "express": "^4.18.2",
    "puppeteer": "^24.0.0",
    "qrcode": "^1.5.3",
    "zod": "^3.22.0"
  },
  "engines": {
Confidence
87% confidence
Finding
"qrcode": "^1.5.3"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"express": "^4.18.2",
    "puppeteer": "^24.0.0",
    "qrcode": "^1.5.3",
    "zod": "^3.22.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
90% confidence
Finding
"zod": "^3.22.0"

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.0.0 — 2 advisory(ies): CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High
Category
Supply Chain
Confidence
98% confidence
Finding
@modelcontextprotocol/sdk==1.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal