Is xiaohongshu safe?

stealth.min.js contains heavily obfuscated JavaScript that uses eval() extensively to dynamically execute code strings. The file manipulates browser prototypes, intercepts function calls via Proxy objects, and patches native browser APIs. While this is derived from the known puppeteer-extra-stealth project, the obfuscated nature makes it extremely difficult to verify no malicious payloads are embedded within the eval'd code strings.

sign_server.py reads XHS_COOKIE from .env, parses it, injects it into a headless browser, and exposes a signing API on localhost:5006. This creates a persistent service that handles sensitive authentication tokens. The server has no authentication itself - any local process can call it. Combined with browser access, this could be used to silently perform actions on the user's Xiaohongshu account or exfiltrate the session cookies.

The SKILL.md contains multiple shell command blocks that instruct the agent to activate Python virtual environments, run inline Python code, and interact with external directories. These commands operate at /root/ paths suggesting root-level access expectations. The agent is directed to execute python -c with multiline inline code, which is a direct code execution vector.

The skill includes sign_server.py which starts a persistent aiohttp web server on port 5006 that stays running indefinitely (while True: await asyncio.sleep(3600)). It also launches headless Chromium instances via Playwright. This gives the skill persistent network and browser capabilities that survive individual agent interactions.

The inclusion of stealth.min.js (puppeteer-extra-stealth evasions) is specifically designed to make automated browsers appear as real users, evading bot detection. While this serves the stated purpose of RPA-based posting, it normalizes anti-detection practices and could be leveraged to perform unauthorized scraping, account manipulation, or platform abuse at scale.

Filesystem monitoring shows /home/oc-exec/.aws/credentials was opened and accessed during the skill installation process. While this may be incidental to the installation framework rather than the skill itself, it indicates the installation context has access to sensitive cloud credentials.

While described as a 'content creation and publishing' skill, it requires shell access, Python virtual environment activation, browser automation, cookie management, file system access, and network server capabilities. This permission scope far exceeds what a content creation tool should need.

The skill stores and reads authentication cookies from predictable paths (social-auto-upload/cookies/xhs_account.json, .env). Any other skill or process with filesystem access could read these credentials. The skill also documents the .env file in its directory structure.

Installation created multiple jiti cache files in /tmp/ and a lock file at /tmp/openclaw-1000/. While likely benign (part of the installation framework), these filesystem changes outside the skill directory warrant noting.

No honeypot files (.env, SSH keys, AWS credentials canaries) were accessed or modified by the skill, indicating no active credential harvesting during installation.