小红书
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent and safety-gated, but it can operate a Xiaohongshu account and publish public posts through a user-installed local component, so users should review setup carefully.
Before installing, independently review and pin the third-party xiaohongshu-mcp component, use a dedicated Xiaohongshu account, keep the MCP server on localhost, and verify the full untruncated client code locally. Treat every publish action as public and potentially irreversible.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the tool can make public posts on Xiaohongshu using the account logged into the local component.
The setup explicitly states that the third-party component can act as the logged-in dedicated account to publish public content.
我理解并接受:该组件运行期间可代表上述专用账号发布公开内容,误操作不可撤回。
Use only a dedicated account, avoid main or enterprise accounts, and revoke the login device after use as SETUP.md recommends.
A mistaken publish command could post unintended public content, though the artifacts include confirmation requirements and client-side safeguards.
The skill exposes a public publishing action, but the documented workflow requires preview and explicit user authorization before calling publish.
代理必须向用户打印结构化预览并等待用户在对话中回复明确授权词
Review every preview carefully and only reply with the required confirmation when you genuinely want the post to go live.
The safety of the actual platform automation depends partly on the third-party MCP component you install and run locally.
The skill depends on a separate third-party component that is not bundled with the skill; setup tells users to review and pin a version.
git clone https://github.com/xpzouying/xiaohongshu-mcp.git ... git checkout <YOUR_REVIEWED_TAG>
Only install a reviewed pinned release or source build, verify checksums for binaries, and do not use main/latest blindly.
If the remote override is enabled, Xiaohongshu actions and submitted post content could be sent to a non-local service.
The client enforces localhost by default, but an explicit environment override can allow communication with a non-loopback MCP endpoint.
if host not in _LOOPBACK_HOSTS and os.environ.get("XHS_ALLOW_REMOTE") != "yes":Keep the MCP endpoint bound to localhost and do not set XHS_ALLOW_REMOTE unless you fully trust the remote service and understand the data boundary change.
An authenticated maintainer who intentionally runs this script could mutate ClawHub registry entries; ordinary end users do not need it.
A maintainer-only script can publish the skill package to ClawHub, but it is clearly labeled as unrelated to end-user Xiaohongshu publishing and requires an explicit environment variable plus authenticated ClawHub credentials.
CLAWHUB_PUBLISH_CONFIRM=yes ./scripts/publish.sh ... clawhub publish "$PROJECT_DIR"
Do not run scripts/publish.sh for normal Xiaohongshu use; use scripts/xhs_client.py publish only after the documented confirmation flow.