Oathe Security Badge

Is 18923236683/xhs-auto-content-by-hot safe?

https://clawhub.ai/18923236683/xhs-auto-content-by-hot

79
CAUTION

This skill appears to be a legitimate tool for generating social media content for Xiaohongshu (Little Red Book) platform by fetching trending topics and creating images via ByteDance's API. However, it exhibits poor security practices by instructing users to provide API keys that are stored in plaintext within the script file.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM Insecure API Key Collection -15

The skill instructs the agent to ask users for their ByteDance API key and store it directly in the Python script file in plaintext, which is a poor security practice.

MEDIUM External API Communications -25

The script makes network requests to external services including Baidu hot search API and ByteDance image generation API using user-provided credentials.

MEDIUM Network-Enabled Code Execution -30

The Python script executes with network access, makes HTTP requests to external APIs, and writes files to the filesystem including a root directory path.

LOW Legitimate but Security-Naive Implementation -20

While the skill serves a legitimate purpose (generating social media content for Xiaohongshu), it implements poor security practices for handling user credentials.