ClawHub

OpenClaw Xiaohongshu MCP

Security checks across malware telemetry and agentic risk

Overview

This Xiaohongshu automation skill is not evidently malicious, but it needs review because it can post through a real account while persisting login/session data in an unpinned third-party Docker service.

Install only if you trust the Docker image and are comfortable letting it retain Xiaohongshu login state locally. Use a test or least-privilege account where possible, inspect payloads before running publish, prefer private visibility first, stop the container when finished, and protect or delete the persisted cookie/profile directories when revoking access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly advertises capabilities to post comments, replies, and publish posts to an external Xiaohongshu account, but it does not warn that these actions modify live third-party platform content or require explicit user confirmation. In an agent skill context, this omission increases the risk of unintended real-world actions, account misuse, spam, or reputational damage if the skill is invoked casually or automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions explicitly recommend persisting sensitive authentication artifacts such as cookies and Chrome profile data, which can contain active session tokens and account credentials. Without an explicit warning, access-control guidance, or secure storage requirements, users may retain highly reusable secrets on disk or in shared Docker volumes, increasing the risk of account takeover if the host, volume, or backup is exposed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal