ClawHub

xiaohongshu 小红书自动运营

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches Xiaohongshu account operations, but needs review because it can act through a logged-in social account while persisting and potentially sharing account/feed data without tight user-controlled boundaries.

Install only if you are comfortable with the agent using a logged-in Xiaohongshu browser profile. Use a dedicated account/profile, review drafts before any public post or reply, ask the agent not to write the knowledge base unless you approve it, and do not allow Feishu screenshot sharing unless you explicitly choose the recipient and understand what page data is being sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill is framed as generating a publishable Xiaohongshu note, but the documented default flow explicitly includes a publishing step. This can cause an agent to move from content drafting into account-affecting actions without a clearly separated consent boundary, increasing the risk of unintended posting or misuse of a user's social account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs collection of commenter identifiers and timestamps (`user`, `time`) from a public comment area without any minimization, notice, or justification. Even if the data is public, aggregating and structuring it for downstream analysis increases privacy risk, enables profiling of individuals, and may conflict with platform rules or data-protection expectations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs the agent to browse account pages and collect structured account and post-level data, but it provides no guidance to inform users about privacy considerations, platform terms, retention, or limits on handling potentially personal data. In an ops skill centered on social-media analysis, this omission increases the chance of unnecessary collection, silent storage to a knowledge base, and use of data in ways the user may not expect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions direct the agent to browse a personalized home feed, enter post detail pages, and record structured content signals without any privacy notice, minimization rule, or guidance about handling potentially sensitive personal data. In this skill context, the homepage is recommendation-driven and may reflect user profile, interests, behavior, and other inferred traits, so collecting and summarizing it can expose private signals beyond what is necessary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill explicitly instructs the agent to write and update local knowledge-base files as part of normal task execution, but it does not require obtaining user confirmation before modifying the workspace. That creates an unauthorized local file modification risk: a user asking for browsing, analysis, or publishing help could indirectly trigger persistent writes, including updates to README summaries and action logs, without realizing the agent will change local state.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The markdown explicitly records that the workflow writes artifacts into local knowledge-base paths, but it does not mention any user confirmation, dry-run mode, or warning that local files will be modified. In an agent skill context, undocumented file writes can surprise users, overwrite existing notes, or persist scraped data without clear consent, which makes this a real but low-severity safety issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal