ClawHub

luan-xhs-skill

Security checks across malware telemetry and agentic risk

Overview

This Xiaohongshu automation skill is mostly purpose-aligned, but it stores reusable account sessions and includes out-of-scope OpenClaw gateway setup that exposes a token.

Install only if you are comfortable giving the skill a reusable Xiaohongshu creator-session file and live posting ability. Treat ~/.openclaw/workspace/xhs_user_info.json and any displayed OpenClaw gateway token as secrets, avoid shared workspaces, prefer dry-run/draft flows, and confirm the target account, media path, visibility, and post content before allowing publication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (22)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script retrieves the OpenClaw gateway auth token and prints it directly to the terminal, exposing credential material that can be copied from terminal scrollback, logs, screenshots, or shared sessions. This is especially dangerous because the token grants access to the local gateway/dashboard and is unrelated to the skill’s declared Xiaohongshu posting purpose, indicating unnecessary credential handling.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file embeds extensive OpenClaw installation, onboarding, OAuth, gateway, and device-management workflows that are outside the stated Xiaohongshu operations scope. Introducing unrelated control-plane setup materially expands attack surface, conditions users to install and authorize external tooling, and can facilitate credential exposure or unauthorized agent access under the guise of a different skill.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions surface the gateway auth token without any warning that it is a sensitive secret, increasing the likelihood that users will paste it into chats, save it in shell history, or expose it in recordings and screenshots. Even if intended for convenience, the omission of secrecy guidance materially raises the chance of credential leakage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The quick-use examples instruct users to extract the gateway token into an environment variable for reuse, again without warning about its sensitivity. This normalizes insecure credential handling and may expose the token through shell history, process inspection, debugging output, or accidental sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes automated posting and automatic reply behavior for Xiaohongshu accounts, but it does not warn users that the skill can take real actions on external accounts and publish public-facing content. In an agent context, this omission is dangerous because users or operators may invoke the skill without understanding that it can modify account state, publish content, and interact with third parties at scale.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents external HTTP/browser requests and clearing proxy-related environment variables, but does not clearly warn users that network routing and environment behavior may be altered. This is risky because disabling proxies can bypass expected monitoring, compliance controls, or privacy protections, and operators may not realize the skill changes request paths before interacting with external services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly allows direct posting to a live Xiaohongshu account when the user says 'publish' but does not require a final user-facing confirmation that content will be sent to a real account immediately. In an automation context, this increases the risk of accidental publication, reputational harm, or posting to the wrong account/session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill includes instructions for login, QR/SMS authentication, saved sessions, and session validation, but it does not require a clear warning that the agent will access authentication state and potentially act through an existing live session. That can lead to unintended account access, use of the wrong stored session, or sensitive auth handling without informed user consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
After QR-based login succeeds, the script serializes cookies plus all localStorage and sessionStorage values into xhs_user_info.json under the user's workspace. These artifacts can contain bearer tokens, session identifiers, account metadata, and other authentication material that would allow account reuse or impersonation if another process, user, or later workflow can read the file. In the context of a Xiaohongshu publishing/login automation skill, this is especially dangerous because the code is explicitly handling a live creator account session rather than mock data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script captures and saves the login QR code and a full-page screenshot to predictable files in the workspace. A login QR is a live authentication artifact; if exposed to another local user, process, log collector, or downstream tool before expiry, it could be used to complete or assist unauthorized account login, and the full screenshot may also contain sensitive UI/account details.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script persists highly sensitive authentication material to disk, including cookies and both localStorage and sessionStorage, in a predictable path under the user's home directory. In the context of an automation skill that logs into a Xiaohongshu creator account, this can enable session hijacking by other local processes, later tooling, or anyone with access to the workspace, especially because there is no consent flow, warning, minimization, or file-permission hardening.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs a live publish action by programmatically clicking a '发布' control and then verifies publication, with no explicit runtime confirmation, dry-run mode, or user approval gate before the irreversible action. In the context of a Xiaohongshu publishing skill, this creates a real risk of unauthorized or accidental posting if the wrong draft is selected by the heuristic DOM matching or if the script is triggered unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script reads persisted session data from disk and injects cookies directly into a browser context, enabling authenticated actions on the user's Xiaohongshu account without any visible disclosure or fresh authentication challenge. In a skill whose purpose is to manage and publish content, this increases the danger because stored credentials can be silently reused to perform sensitive account actions, including posting content, if the workspace or invocation path is misused.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs the final irreversible publish action immediately once the button becomes enabled, with no explicit user confirmation, dry-run mode, or separate approval gate in this file. In the context of a social-media publishing skill, this increases the risk of accidental posting, unintended disclosure, or abuse if the script is invoked with untrusted inputs or in the wrong account session.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script reads persisted session cookies from a local file and injects them into a browser context that authenticates to Xiaohongshu, effectively reusing an account session without any visible consent, provenance checks, or user disclosure in this file. While this is functional automation rather than obvious credential theft, cookie-based session reuse is sensitive because compromise of the workspace or misuse of the script can lead to unauthorized account access and publishing actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code repeatedly clicks any visible element whose text resembles publishing, confirmation, save, or dismissal actions, and even performs coordinate-based clicks, until it detects the title in the note manager. That creates a real risk of unintended irreversible publication or other authenticated state changes without explicit user confirmation, especially because the logic is intentionally broad and bypasses normal UI safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script loads persisted session cookies from a local file and injects them into a browser context to perform authenticated actions on Xiaohongshu without any additional disclosure or runtime consent. In a skill whose purpose is to publish/manage posts this may be operationally expected, but it still enables silent use of an existing logged-in identity and increases the risk of unauthorized posting if the skill is invoked unexpectedly or the session file is stale/shared.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs a real publish action as soon as required arguments are provided, using an existing authenticated session and without any interactive confirmation, consent gate, or safety interlock. In the context of a skill whose purpose is to control Xiaohongshu posting, this creates a meaningful risk of unauthorized or accidental posting to a live account, causing reputational damage, policy violations, or unintended disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code reads persisted session material from disk and injects cookies and localStorage directly into a browser context, effectively reusing an authenticated account without reauthentication or user awareness at runtime. In a publishing automation skill, this is especially dangerous because possession of the workspace file grants account access and the ability to post or manage content as the user.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script programmatically uploads an arbitrary local video file to Xiaohongshu using an authenticated browser session, but there is no in-script consent check, path restriction, or disclosure mechanism before exfiltrating local content to an external service. In the context of an automation skill designed to publish/manage posts, this behavior is expected operationally, but it is still dangerous because a caller can cause unintended disclosure of sensitive local media if inputs are not tightly controlled.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads persisted session cookies from disk and injects them into a Playwright browser context to act as an already-authenticated Xiaohongshu user, without any explicit disclosure, re-authentication, or scope check. This is risky because any process able to invoke the script can reuse stored credentials to perform account actions as the user, increasing the chance of unauthorized posting or account misuse if the local environment is compromised or inputs are abused.

Ssd 3

High
Confidence
99% confidence
Finding
The script explicitly reads and prints the gateway authentication token in plaintext, creating a direct sensitive-data exposure path at the natural-language and operational level. Anyone with access to the terminal, logs, recordings, or copied output can obtain the credential and potentially connect to the associated gateway/dashboard.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal