Is borye/xiaohongshu-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/borye/xiaohongshu-mcp

78
CAUTION

This skill provides legitimate Xiaohongshu (RedNote) social media automation via a transparent Python HTTP client, but its core dependency — a pre-compiled binary server not bundled in the skill — represents a significant unauditable code execution surface. The Python client code is clean and only communicates with localhost, but an LLM agent following SKILL.md would download and execute opaque platform binaries from GitHub Releases, which run a headless browser with full user-level access and manage live authenticated sessions. The skill can also publish content to social media autonomously without per-action user confirmation.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (7)

HIGH Pre-compiled opaque binary download and execution required -30

SKILL.md instructs downloading platform-specific pre-compiled binaries (xiaohongshu-mcp-linux-amd64, xiaohongshu-login-linux-amd64, etc.) from GitHub Releases and executing them with chmod +x. These binaries are not included in the skill, are not source-auditable within the skill directory, and run a headless Chromium browser with full user-level filesystem and network access. Any compromise of the upstream GitHub release (e.g. stolen maintainer keys, release asset substitution) would result in full code execution under the user's account.

HIGH LLM agent can autonomously publish to social media account -20

The publish command requires only a title, content string, and image URL — parameters an LLM agent could synthesize from context without prompting the user per post. An agent following this skill could scrape content from other sources and republish it on the user's Xiaohongshu account, post sensitive information, or be manipulated via prompt injection in third-party content to post attacker-controlled messages.

MEDIUM Headless browser session management creates credential theft surface -15

The xiaohongshu-mcp binary maintains an active authenticated Xiaohongshu browser session stored in the binary's data directory. The session tokens, cookies, and any content displayed in the headless browser are accessible to the binary process. If the binary is malicious or compromised, it can exfiltrate the session, enabling account takeover without the user's knowledge.

MEDIUM All six canary credential files opened and read during audit window -15

The inotify and auditd PATH records show OPEN/ACCESS/CLOSE_NOWRITE events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json at both pre-install (1771734854.994) and post-install (1771734872.168) timestamps. File content was not modified (CLOSE_NOWRITE, canary integrity passes). The access pattern — all six files at an identical timestamp — is consistent with the oathe monitoring system's canary verification routine. However, reads cannot be fully attributed without per-syscall PID records, so this is flagged as an unresolved concern.

LOW SKILL.md directs agent to external binary download URL -12

The skill description and setup instructions reference GitHub Releases as the source for binaries. An LLM agent processing this skill could be directed to autonomously initiate binary downloads to satisfy setup prerequisites before a user has reviewed the binaries. This is a low-severity concern since the URL is public and well-known, but it establishes a pattern of the skill directing outbound fetch operations.

LOW Executable Python script bundled in skill -8

scripts/xhs_client.py is a runnable Python script. The code is transparent and reviewable — it only makes HTTP requests to localhost:18060. However, bundling executable code in a skill means an LLM agent can invoke it directly via shell tools without additional user approval.

INFO Clean installation — only expected GitHub network activity -10

The clone process made a single HTTPS connection to 140.82.121.3:443 (GitHub). No other external hosts were contacted. No unexpected processes were spawned. Post-install connection diff shows no new listening ports or persistent connections.