Xiaohongshu Auto Publish
Security checks across malware telemetry and agentic risk
Overview
This skill is an auto-publisher as advertised, but it embeds payment credentials, depends on unreviewed local helper code, and can publish to a social account without a final review step.
Review this skill carefully before installing or running it. Do not use it with an important Xiaohongshu account unless you are comfortable with automatic posting, and avoid running it until the hardcoded payment key is removed and all helper code it executes is included and reviewed.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the skill package can see and potentially misuse the payment API credential; users also cannot clearly verify which SkillPay account controls payment verification.
The distributed runtime embeds a live-looking SkillPay API key and uses it for payment verification, while metadata declares no primary credential or environment-variable contract.
SKILLPAY_API_KEY = "sk_4eacbcc..." ... "Authorization": f"Bearer {SKILLPAY_API_KEY}"Rotate the exposed key, remove it from the client-side skill, and perform payment verification through a server-side service or a declared user-provided secret.
Running the skill may fail or execute unreviewed local code that controls the generated content and cover before the account publishes it.
The skill imports and executes helper code from an absolute workspace path, but the provided manifest does not include generate_content.py or generate_cover_chinese.py.
WORKSPACE = "/Users/xiaofang/.openclaw/workspace-taizi" ... cover_script = f"{WORKSPACE}/generate_cover_chinese.py" ... sys.path.insert(0, WORKSPACE) ... from generate_content import create_content as gen_contentInclude all runtime helper files in the reviewed package, use relative paths, avoid broad sys.path injection, and declare all dependencies explicitly.
A mistaken prompt, bad generated copy, or compromised helper code could result in public posts from the user's Xiaohongshu account.
After generating content and a cover, the code directly invokes the Xiaohongshu publish command with no visible preview, draft mode, or final confirmation.
cmd = ["python3", XHS_CLIENT, "publish", title, content, image_path, "--tags", tags] ... success, msg = publish(title, content, cover_path, tags)
Add a mandatory preview and explicit confirmation step before publishing, and offer a draft-only mode by default.
The skill can act through the logged-in Xiaohongshu account, so mistakes affect the real account rather than a sandbox.
The skill requires an already configured and logged-in Xiaohongshu MCP session, which is expected for publishing but grants account-level posting authority.
- xiaohongshu-mcp 已配置 - 小红书已登录
Use only with an account you intend to automate, confirm the MCP session and permissions, and prefer a dedicated posting account if possible.