ClawHub

xiaohongshuskills

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can control a logged-in Xiaohongshu account, post/comment publicly, and read/export account data beyond its short description.

Install only if you intend to let an agent operate a Chrome session logged into Xiaohongshu. Use a dedicated browser profile/account, avoid remote CDP unless the endpoint is private and trusted, do not use --auto-publish casually, and manually review each post, comment, notification read, analytics export, account switch, or profile deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for line in result.stdout.splitlines():
                if f":{port}" in line and "LISTENING" in line:
                    pid = line.strip().split()[-1]
                    subprocess.run(
                        ["taskkill", "/F", "/PID", pid],
                        capture_output=True, timeout=5
                    )
Confidence
84% confidence
Finding
subprocess.run( ["taskkill", "/F", "/PID", pid], capture_output=True, timeout=5 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, reads and writes local files, accesses the network, and can use environment/configuration, but it declares no permissions or equivalent capability disclosure. This weakens user consent and review because a caller may believe the skill is limited to simple publishing while it can also access disk, network resources, and browser-controlled sessions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose focuses on posting content and test-browser launch, but the documentation also enables account management, login-state handling, content search, feed detail retrieval, commenting, notification access, analytics export, and remote media download. This scope expansion is dangerous because users and integrators may authorize a publishing tool that also performs scraping, interaction, and session-linked data collection.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The README documents capabilities that materially exceed the declared skill scope: beyond publishing and browser launch, it supports search, note-detail retrieval, comment posting, notification scraping, and analytics export. This kind of scope mismatch is dangerous because downstream users, policy engines, or reviewers may grant the skill broader trust than intended, enabling covert data collection or account actions under a narrower-looking manifest.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented scraping and analytics functions are outside the stated purpose of automatic publishing and can collect content, comments, notification data, and performance metrics. In a skill context, undocumented collection capabilities increase the risk of privacy violations, policy bypass, and user surprise because operators may invoke a publishing tool without realizing it also performs surveillance-like data access.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill can post comments to arbitrary notes, which is an account-action capability distinct from publishing the user's own content. In context, this increases abuse potential for spam, impersonation, or coordinated engagement using authenticated sessions, especially because the manifest frames the tool as a publisher rather than a broader engagement automation system.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest says the skill is for publishing or browser testing, yet the body instructs the agent to search content, fetch note details, post comments, read @/comment notifications, and export creator analytics. That discrepancy can mislead users and security reviewers about the true data-access and action surface of the skill.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation initially claims only three task categories, but later adds more workflows for retrieval, analytics, and interaction. This inconsistency increases the risk of unintended use because downstream agents or users may not realize the skill can perform broader account-linked actions beyond the stated categories.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file exposes capabilities well beyond the declared purpose of publishing content or launching a test browser: it can search feeds, fetch feed details, post comments, scrape notification mentions, and export creator analytics. This mismatch is dangerous because users or higher-level agents may grant trust based on the manifest while the code can access and act on additional account-scoped data and social interactions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code includes engagement automation such as posting comments and helper methods for liking and collecting notes, which are unrelated to a narrowly described publishing skill. In the context of an authenticated social-media account, these actions can be abused to perform undisclosed account activity, reputation manipulation, or spam without the user's informed approval.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill can retrieve account notification mentions and creator analytics data, both of which are account-scoped data sources outside the stated publish/test-browser purpose. This broadens data exposure and can leak private engagement, audience, or operational information to downstream logs, tools, or users who did not expect read access to these areas.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Automatic commenting and notification/comment scraping affect third parties and may process personal or interaction data, yet the README provides no clear privacy, consent, or user-impact warnings for these operations. That omission makes misuse more likely and reduces informed consent, particularly for a skill that operates on logged-in accounts and can automate public-facing actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents connecting to a remote Chrome DevTools endpoint without clearly warning that CDP grants powerful control over another browser session, including authenticated data and actions. In practice, exposing or misconfiguring a remote CDP endpoint can let operators read session data, navigate pages, and perform account actions on a different machine.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill supports connecting to a remote CDP browser host for login checks and publishing but does not warn that browser automation over a remote host may expose authenticated session data, page contents, and account actions to another machine. In this context, a remote CDP endpoint can fully control the logged-in browser, making account takeover or data leakage plausible if the host is untrusted or misconfigured.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The workflow writes user-provided titles, body text, comments, and exported analytics to local files but does not disclose this persistence or retention. While lower severity than session exposure, it can still leak sensitive content through shared disks, backups, temporary directories, or later local access by other users/processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The comment-posting workflow navigates to a target feed, fills content, and submits the comment immediately, with no user-facing confirmation step comparable to the manual review prompt used for publishing content. That makes accidental or unauthorized posting easier, especially when driven by an agent or automation pipeline using a logged-in account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notification retrieval logic fetches mentions from authenticated page context or captures the live API response, then prints the resulting payload. Without clear disclosure or consent, this silently accesses and exposes account-scoped notification data that may contain private identifiers, message content, or social activity.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
websockets>=12.0
Confidence
91% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
websockets>=12.0
Confidence
90% confidence
Finding
websockets>=12.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal