ClawHub

小红书相似账号推荐

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide Xiaohongshu account recommendations as advertised, but it handles an API key over an intentionally unverified HTTPS connection and leaves some ongoing subscription and saved-report behavior under-scoped.

Install only if you trust Redfox with your Xiaohongshu account IDs, targeting criteria, and REDFOX_API_KEY. Avoid using it on untrusted networks until TLS verification is fixed, delete generated JSON/HTML reports when no longer needed, and do not rely on the subscription feature unless the publisher documents exactly how it stores data, runs, and can be cancelled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (16)

Tainted flow: 'req' from os.getenv (line 296, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
ssl_ctx.verify_mode = ssl.CERT_NONE

    try:
        with urllib.request.urlopen(req, context=ssl_ctx, timeout=30) as resp:
            result = json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as e:
        raise Exception(f"HTTP请求失败: {e.code}, {e.read().decode('utf-8', errors='replace')}")
Confidence
99% confidence
Finding
with urllib.request.urlopen(req, context=ssl_ctx, timeout=30) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes capabilities to read environment variables, perform network requests, and read/write local files, but does not declare permissions or clearly surface those behaviors as part of its trust model. This creates hidden data-flow and persistence risks because users and hosting platforms cannot make informed decisions about whether API keys, returned data, and generated artifacts should be accessible to the skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description says联网搜索 is forbidden, yet the instructions require outbound HTTPS API calls, disable TLS verification, and write response data to local JSON/HTML files. This mismatch is dangerous because it conceals network exfiltration and local persistence behind a seemingly constrained tool, undermining user consent and making interception or misuse of returned data more likely.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README explicitly says online search is forbidden, yet the documented functionality depends on an external API key and remote data retrieval. This contradiction can mislead users and reviewers about the skill's actual network behavior, weakening informed consent and creating trust and policy-compliance risks around external data access and scheduled delivery features.

Description-Behavior Mismatch

Low
Confidence
75% confidence
Finding
The README advertises HTML export and daily subscription push capabilities that are not reflected in the stated skill metadata. Undocumented capabilities increase the attack surface and can conceal data egress, persistence, or automation behaviors from users and platform reviewers, even if the features are not inherently malicious.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README advertises a scheduled subscription/push feature that expands the skill from static account matching into ongoing monitoring and outbound delivery. That is a meaningful capability increase not reflected in the stated skill scope, and it may require background execution, stored queries, and network access despite the explicit 'no network search' constraint, creating room for unexpected data access or unauthorized automation.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The README again introduces recurring push behavior as a normal usage path, even though the skill is described as a recommendation tool rather than a persistent monitoring service. Scheduled delivery can increase risk by encouraging retention of user preferences or account targets and by normalizing ongoing network-dependent behavior outside the apparent purpose of the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README requires users to obtain and configure an external API key from a third-party service, which directly conflicts with the skill metadata's ban on network search. This mismatch is dangerous because it can lead users to authorize undeclared external data flows and trust a secret-handling model that is not clearly bounded by the published skill purpose.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation forbids online search while simultaneously mandating a remote API call, which is a contradictory instruction set that can mislead users and reviewers about whether any external communication occurs. In a security context, misleading documentation increases risk because operators may assume the skill is offline-only and expose sensitive inputs that are actually sent off-box.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill text claims strict avoidance of networked search, but the code still performs an external HTTPS request and does so with certificate verification disabled. The mismatch is security-relevant because it can mislead reviewers or users about data egress and masks the fact that sensitive query data and API credentials leave the local environment.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script unconditionally writes full JSON and HTML reports containing account data to local disk, expanding the data exposure surface beyond the immediate recommendation output. On shared hosts or multi-user environments, these files can persist, be indexed, or be read by other processes, leaking queried data and API-returned content.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation guidance tells users to 'simply describe your needs in natural language,' which is so broad that the skill may trigger outside narrowly intended benchmark-matching use cases. Overly permissive invocation boundaries can cause the agent to process unrelated requests, increasing the chance of unintended API usage, data disclosure, or capability overreach.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The instruction to use unrestricted natural language with no command constraints broadens the trigger surface and makes it easier for users or downstream prompt content to invoke unintended behaviors. In a skill that already documents undeclared network/API usage and scheduled actions, broad invocation increases the chance of abuse, confusion, or scope drift.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill requires sending user-supplied account identifiers or selection criteria to an external service and then persisting returned data into local JSON and HTML files without clearly informing the user. That lack of disclosure creates privacy and governance risk because users may not consent to third-party transfer or local retention of potentially sensitive commercial research data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits user-supplied account identifiers, filters, and an API credential to an external service without any user-facing disclosure or consent flow. In this skill context, the hidden outbound transfer is more concerning because the description emphasizes account matching and even warns against online search, which can create false expectations about local-only processing.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
## 前置准备

- 依赖说明:Python标准库(json、argparse、os、sys、urllib、ssl),无需额外安装
- API说明:调用小红书账号推荐API,使用原生 urllib.request + ssl(verify=False)发起请求

### 鉴权
Confidence
99% confidence
Finding
verify=False

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal