Skill Trust Decision
xhs-skill-pusher
This is a Xiaohongshu content publishing skill that stores cookies locally and uses xhs-kit for automation. While not overtly malicious, it has significant doc-to-code mismatch on shell execution and undeclared behavior.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
4 dependency or supply-chain issues need attention.
What drove the risk score up
Undeclared shell execution +20
SKILL.md declares NONE for all resources but bin/xhs-pusher.mjs uses execSync for shell commands
Unpinned Python dependencies +10
pip install xhs-kit without version pin; could pull malicious updates
Unpinned npm dependencies +5
package.json uses ^ ranges (e.g., commander@^11.1.0) without hash verification
Hidden workspace integration +10
init command references ~/.openclaw/workspace/ for script copying without declaration
Most important evidence
Medium Doc Mismatch
Shell execution not declared in SKILL.md
SKILL.md declares all resources as NONE, but bin/xhs-pusher.mjs uses execSync() to execute shell commands (lines 24, 55, 69, 78, 90, 103, 115). Bash scripts also use subprocess.
bin/xhs-pusher.mjs:24 Declare shell:WRITE in SKILL.md capabilities
Medium Supply Chain
xhs-kit installed without version pinning
SKILL.md and scripts use 'pip install xhs-kit' without version constraints. An attacker compromising the PyPI package could push malicious updates.
SKILL.md:50 Use 'pip install xhs-kit==X.Y.Z' with pinned version and hash verification
Medium Sensitive Access
~/.openclaw/workspace reference without disclosure
The init command references copying scripts from ~/.openclaw/workspace/ but this cross-skill integration is not documented. Could access or execute code from the parent workspace.
bin/xhs-pusher.mjs:162 Document workspace integration or remove this path reference
Low Supply Chain
NPM dependencies use unpinned version ranges
package.json uses caret ranges (^11.1.0, ^5.3.0) for all dependencies. No integrity hashes in package-lock.json.
package.json:18 Pin exact versions and include package-lock.json with integrity hashes
Low Credential Theft
Cookie storage without encryption or secure handling
Authentication cookies are saved as plaintext JSON files in xhs_cookies/. No mention of encryption-at-rest or secure deletion.
scripts/xhs_save_cookie.sh:88 Add encryption for stored cookies and warn users about file permissions
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
bin/xhs-pusher.mjs:24 execSync Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/xhs_save_cookie.sh:90 mkdir + file write Network Block
Declared NONE
→ Inferred READ
xhs-kit makes API calls to xiaohongshu.com Environment Pass
Declared NONE
→ Inferred READ
xhs-kit may read env vars for auth Suspicious artifacts and egress
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| xhs-kit | * | pip | No | Not pinned - could be replaced with malicious version |
| playwright | * | pip | No | Not pinned |
| commander | ^11.1.0 | npm | No | Caret range without lock file hash |
| chalk | ^5.3.0 | npm | No | Caret range without lock file hash |
File composition
12 files · 2815 lines
Shell 5 files · 1308 linesMarkdown 5 files · 1097 linesJavaScript 1 files · 373 linesJSON 1 files · 37 lines
Files of concern · 5
bin/xhs-pusher.mjs Shell execution not declared in SKILL.md · ~/.openclaw/workspace reference without disclosure
SKILL.md xhs-kit installed without version pinning
scripts/xhs_save_cookie.sh Cookie storage without encryption or secure handling
PUSH_GUIDE.md package.json NPM dependencies use unpinned version ranges
Other files · xhs_manage.sh · xhs_simple.sh · XHS_FINAL_SOLUTION.md · README.md · QUICK_START.md · push_to_github.sh +1
Security positives
No base64-encoded payloads or obfuscation found
No direct IP connections or C2 communication patterns
No credential harvesting loops over environment variables
No curl|bash or wget|sh remote script execution
No hidden instructions in HTML comments or binary blobs
No attempts to access ~/.ssh, ~/.aws, or other credential paths
Uses a legitimate, documented automation library (xhs-kit) for a real platform