ClawHub

Xhs Skills

Security checks across malware telemetry and agentic risk

Overview

This Xiaohongshu automation skill appears purpose-related, but it gives a local browser bridge broad control over a logged-in social account and sensitive browser data without enough user-facing limits or consent gates.

Install only if you are comfortable granting a local extension and Python bridge control over your logged-in Xiaohongshu browser session. Use a dedicated account if possible, review every post/comment/like/favorite before execution, and avoid using the login QR flow until third-party QR decoding and broad browser bridge powers are removed or clearly gated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes local Python scripts, launches Chrome, performs login flows, and accesses files and network resources, which implies shell, file, environment, and network capabilities. Because no permissions are explicitly declared, users and policy enforcement layers cannot accurately assess or constrain what the skill can do, increasing the risk of over-privileged execution and unintended data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents the skill as a Xiaohongshu automation assistant, but the detected behavior includes sensitive browser-control capabilities such as extracting all site cookies, executing arbitrary JavaScript in the page context, taking screenshots, attaching via Chrome Debugger/CDP, setting local file inputs, and maintaining a WebSocket bridge for remote browser control. These capabilities materially exceed normal app automation and could enable account takeover, data exfiltration, covert browsing surveillance, or arbitrary actions in the user's authenticated session.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The extension exposes a generic `evaluate` path that executes attacker-controlled JavaScript in the page's MAIN world via `Function(...)`. Because commands arrive over a localhost WebSocket and are not constrained to a narrow allowlist of Xiaohongshu actions, any local process able to speak to the bridge can run arbitrary code in the authenticated site context and access page data beyond the stated automation purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill can attach the Chrome debugger and call `DOM.setFileInputFiles` with arbitrary local file paths provided by the Python side. This grants a powerful browser-debugging primitive that can cause local files to be uploaded into web pages without a clear user-mediated file picker, creating a path for local data exfiltration if the bridge is abused.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The manifest describes a simple bridge to a local Python CLI, but it also requests powerful permissions for tabs, cookies, scripting, alarms, debugger, and content-script access across Xiaohongshu domains. This creates a capability-to-purpose mismatch that can conceal extensive browser automation or session access beyond what users would reasonably expect from the stated description.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The debugger permission is highly sensitive because it can inspect and manipulate network traffic, page state, and runtime behavior in tabs. For a Xiaohongshu automation bridge, this is far more powerful than typical automation needs and materially increases the risk of credential theft, session hijacking, or stealthy browser control if the extension is abused or compromised.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code transmits login QR code image bytes to a third-party service (api.qrserver.com) for decoding. A login QR code is authentication material, so sending it off-platform expands trust boundaries and can expose session initiation data to an unrelated external party, which is outside the stated Xiaohongshu automation scope.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This introduces a new third-party network capability that posts authentication-related QR images to api.qrserver.com. Even if intended for convenience, this creates an unnecessary exfiltration path for sensitive login artifacts and increases supply-chain and privacy risk because a compromised or logging third party could capture login URLs or metadata.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill declares a strict allowlist of permitted CLI subcommands, but later requires invoking `save-draft`, which is not on that list. This creates an inconsistent security boundary: an agent that follows the allowlist may refuse the required safety-preserving action, while an agent that ignores it learns that the documented boundary is unreliable, increasing the chance of policy bypass or unsafe command expansion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states it will use the user's real browser and account to operate Xiaohongshu, but the file does not provide an explicit user-facing warning about account actions, privacy exposure, or the possibility of posting/interacting under the user's identity. In an automation skill that can publish, comment, like, favorite, and log in, lack of clear consent and risk disclosure increases the chance of unintended account-impacting actions and privacy harm.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to install an extension that operates in their own browser session and with their real Xiaohongshu account, then encourages actions like posting, commenting, liking, and collecting content. While this is the intended product behavior, the warning only discusses rate limits and anti-abuse controls, not the privacy, consent, account-security, or reputational risks of letting an AI drive a logged-in social account, so users may underestimate the consequences of automated actions taken on their behalf.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad and match common actions like login, publish, search, comment, like, and analyze, which creates a real risk of accidental invocation during ordinary conversation. In this context, accidental triggering is more dangerous because the skill can perform authenticated social actions and browser automation, potentially causing unintended account activity or disclosure of local data paths and session state.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
`cmdGetCookies` returns all cookies for a supplied domain and sends results back over the bridge with no user disclosure or meaningful access control. For an authenticated Xiaohongshu session, this can expose session identifiers and other sensitive tokens to any process able to communicate with the localhost WebSocket, enabling account hijack or tracking.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The screenshot command captures the visible tab and returns the image data over the bridge without explicit notice or consent. This can expose private on-screen content, including messages, account details, drafts, or other sensitive information present in the browser at capture time.

Missing User Warnings

High
Confidence
99% confidence
Finding
The MAIN-world evaluation path lacks user warning and, more importantly, executes arbitrary expressions directly in the live page context. In this skill, that is especially dangerous because the extension is designed to operate on logged-in Xiaohongshu pages, so arbitrary evaluation can read page globals, scrape private data, manipulate workflows, and potentially aid session abuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The debugger-based file upload path accepts local filesystem paths from the bridge and applies them to a page file input without any user-facing warning. In context, this bypasses the normal user gesture expectations around file selection and could be abused to upload arbitrary local files to Xiaohongshu or another permitted page.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The content script accepts runtime messages and can remove arbitrary DOM elements via a CSS selector without any visible disclosure or restriction. In this skill context, the extension is explicitly designed to automate social-platform actions, so silent DOM deletion can hide warnings, consent dialogs, security notices, or UI state from the user and enable deceptive automation flows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script programmatically populates file inputs by constructing File objects from provided base64 data and assigning them to an input element, then firing input/change events. This bypasses the normal user-mediated file selection flow, which is sensitive because it enables silent uploads or post creation with arbitrary local-like content in a browser automation skill that performs publishing and social interactions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The CLI automatically starts a local bridge server and may launch Chrome if the extension is not connected, without an explicit confirmation step at execution time. In an agent skill context, this can cause unexpected process execution and browser activation on a user's machine, expanding the tool's side effects beyond what a caller may anticipate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code performs outbound HTTP requests to arbitrary user-supplied URLs and writes the response body to disk without any user confirmation, host allowlisting, content-type validation, size limits, or SSRF protections. In an automation skill context, that can be abused to fetch internal resources, unexpected large payloads, or non-image content and persist it locally, creating network exposure and local storage risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code directly posts comments and replies to Xiaohongshu using browser automation without any built-in confirmation, preview, rate-limit, or user-presence check. Because commenting is a user-visible external action, an upstream agent or prompt injection could cause unintended spam, harassment, or reputational damage through autonomous posting.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code performs a state-changing social action (like/unlike) immediately when invoked, with no in-function confirmation, consent check, or user-visible disclosure. In an automation skill that can act on a logged-in social-media account, this creates a real risk of unauthorized engagement, accidental account manipulation, and abuse if upstream intent validation is weak or bypassed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The favorite/unfavorite functions directly modify saved content state on the user's account without any built-in confirmation or warning. Because this skill is specifically designed to automate Xiaohongshu interactions, silent execution of favorites can alter user data, create unintended endorsements, and be misused for engagement manipulation at scale.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function sends QR code bytes to an external service without any visible disclosure or consent mechanism. Because the QR may encode a live login URL or token-bearing authentication state, users and operators may unknowingly leak sensitive authentication data to a third party.

Missing User Warnings

High
Confidence
84% confidence
Finding
Comment serialization includes ipLocation, which is location-related personal data and may be returned to downstream callers without any access control or minimization visible in this layer. In an automation skill for social-platform scraping/interaction, exposing commenter location metadata can facilitate profiling, deanonymization, or bulk collection of sensitive user attributes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal