v1.1.0

小红书 MCP 服务

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:18 AM.

Analysis

This XHS automation skill is functional but risky because it ships with session cookies and runs an unauthenticated background MCP service that can post, comment, like, and publish through an account.

GuidanceDo not run this as-is on a machine or network you do not fully control. Remove data/cookies.json, log in only with your own account, bind the service to localhost, add MCP authentication, and require confirmation before any publish/comment/like/favorite action.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

metadata

Primary credential: none

The metadata says no primary credential is required even though the artifact set includes XHS cookies and login/session handling.

User impactA user may install it believing no account credential or session authority is involved.

RecommendationUpdate metadata to disclose XHS login/cookie use and remove any preexisting cookie file from the package.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/index.js

server.tool('publish_content', '发布图文内容到小红书', { ... visibility: z.enum(['公开可见', '仅自己可见', '仅互关好友可见']).optional().default('公开可见') ... })

The tool set directly supports public publishing and other account mutations, but the artifacts do not show an enforced confirmation step before those high-impact actions.

User impactAn agent or exposed MCP client could publish public posts, comment, like, or favorite content through the logged-in account.

RecommendationRequire explicit user confirmation and a preview before publish/comment/like/favorite actions, and add rate limits or bulk-action safeguards.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

scripts/ensure-service.js

detached: true, stdio: 'ignore', env: { ...process.env } ... child.unref();

The service manager starts the MCP server as a detached background process, allowing it to continue running after the initiating command returns.

User impactThe XHS account automation service may remain active and reachable after the user thinks the task is complete.

RecommendationRun the service in the foreground by default or clearly prompt before background start, provide reliable stop behavior, and stop it automatically when no longer needed.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

package.json

"dependencies": { "@modelcontextprotocol/sdk": "^1.0.0", "express": "^4.18.2", "puppeteer": "^24.0.0" }

The skill relies on npm-installed dependencies with floating caret ranges, while the registry provides no install spec and the source/homepage provenance is limited.

User impactDependency versions may change at install time, which can make the installed behavior harder to reproduce or review.

RecommendationProvide a lockfile or pinned versions, a real source repository, and an explicit install specification.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

data/cookies.json

"name": "access-token-creator.xiaohongshu.com", "value": "customer.creator.AT-..."

The package contains XHS access/session cookie material, and the browser module is designed to load cookies from this data path, creating account authority that is not declared as a primary credential.

User impactThe skill may operate using a bundled XHS session or expose account cookies that should never be distributed with a skill.

RecommendationRemove bundled cookies before distribution, declare the credential requirement, and require each user to log in with their own account in a clearly documented flow.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

scripts/index.js

const HOST = process.env.XHS_HOST || '0.0.0.0'; ... app.all('/mcp', async (req, res) => { ... await transport.handleRequest(req, res); })

The MCP endpoint is bound to all interfaces by default and the provided route handler forwards requests to the MCP transport without a local authentication or origin check.

User impactAnything that can reach the service port may be able to invoke XHS tools and access returned account data or trigger account actions.

RecommendationBind to 127.0.0.1 by default, require an authentication token for MCP requests, and document firewall/network exposure requirements.