Is xiaohongshu-mcp safe?

https://clawhub.ai/Borye/xiaohongshu-mcp

62
CAUTION

This skill wraps a Xiaohongshu (RedNote) social media automation tool with a Python HTTP client. While the Python client code itself is straightforward and non-malicious, the skill instructs users to download and execute opaque pre-compiled binaries from a third-party source, and the installation process was observed accessing sensitive files (.env, .aws/credentials). The publish capability creates a significant risk vector for irreversible social media actions and potential cross-skill data exfiltration.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 45/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (10)

CRITICAL Sensitive files accessed during installation -40

The installation process read /home/oc-exec/.env, /home/oc-exec/.aws/credentials, /home/oc-exec/.openclaw/openclaw.json, and auth-profiles.json. While this may be attributable to the openclaw runtime rather than the skill itself, it demonstrates that sensitive credentials are exposed during the skill install lifecycle.

HIGH Instructs download and execution of opaque binaries -35

SKILL.md directs the agent/user to download pre-compiled binaries (xiaohongshu-mcp-darwin-arm64, xiaohongshu-login-darwin-arm64, etc.) from a third-party GitHub releases page and execute them with chmod +x. These binaries cannot be audited from the skill contents alone and could contain any arbitrary code.

HIGH Publish command enables irreversible public social media posting -30

The skill's publish command allows the AI agent to post content publicly to Xiaohongshu on behalf of the authenticated user. This is an irreversible action that could be exploited for spam, misinformation, or reputation damage. There are no confirmation safeguards in the Python client.

HIGH Login tool maintains persistent authenticated session -20

The login tool creates a persistent browser session authenticated to the user's Xiaohongshu account. The SKILL.md warns that logging in elsewhere invalidates the session, implying the MCP server maintains long-lived credential state on disk. This credential material is managed by the opaque binary.

MEDIUM Security tokens passed as CLI arguments -20

The xsec_token values are passed as command-line arguments, which may be captured in shell history, process listings, or system logs, potentially leaking authentication tokens.

MEDIUM Cross-skill data exfiltration vector via publish -35

If combined with other skills that can read local files or environment variables, an attacker could encode sensitive data into Xiaohongshu post content or titles, effectively using the social media platform as a covert exfiltration channel.

MEDIUM Installer runtime reads user profile and config files -15

During installation, the openclaw runtime read .profile, .bashrc, and multiple openclaw configuration files. While likely part of normal runtime initialization, this exposes environment variables and shell configuration to the install process.

LOW Shell commands with user-controlled arguments -15

SKILL.md examples show the agent constructing shell commands with search keywords and IDs that originate from user input or API responses. While the Python client uses argparse (not shell interpolation), the agent might construct commands via string concatenation in a shell context.

INFO No outbound network connections during clone 0

Network monitoring confirmed no outbound connections were made during the clone and install process. This is a positive signal.

INFO No install scripts, git hooks, or submodules 0

The skill contains no package.json install scripts, no git hooks, no git submodules, and no symlinks. The executable code is limited to the Python client.