安全决策报告
xhs-skill-pusher
This is a Xiaohongshu content publishing skill that stores cookies locally and uses xhs-kit for automation. While not overtly malicious, it has significant doc-to-code mismatch on shell execution and undeclared behavior.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 4 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared shell execution +20
SKILL.md declares NONE for all resources but bin/xhs-pusher.mjs uses execSync for shell commands
Unpinned Python dependencies +10
pip install xhs-kit without version pin; could pull malicious updates
Unpinned npm dependencies +5
package.json uses ^ ranges (e.g., commander@^11.1.0) without hash verification
Hidden workspace integration +10
init command references ~/.openclaw/workspace/ for script copying without declaration
最关键的证据
中危 文档欺骗
Shell execution not declared in SKILL.md
SKILL.md declares all resources as NONE, but bin/xhs-pusher.mjs uses execSync() to execute shell commands (lines 24, 55, 69, 78, 90, 103, 115). Bash scripts also use subprocess.
bin/xhs-pusher.mjs:24 Declare shell:WRITE in SKILL.md capabilities
中危 供应链
xhs-kit installed without version pinning
SKILL.md and scripts use 'pip install xhs-kit' without version constraints. An attacker compromising the PyPI package could push malicious updates.
SKILL.md:50 Use 'pip install xhs-kit==X.Y.Z' with pinned version and hash verification
中危 敏感访问
~/.openclaw/workspace reference without disclosure
The init command references copying scripts from ~/.openclaw/workspace/ but this cross-skill integration is not documented. Could access or execute code from the parent workspace.
bin/xhs-pusher.mjs:162 Document workspace integration or remove this path reference
低危 供应链
NPM dependencies use unpinned version ranges
package.json uses caret ranges (^11.1.0, ^5.3.0) for all dependencies. No integrity hashes in package-lock.json.
package.json:18 Pin exact versions and include package-lock.json with integrity hashes
低危 凭证窃取
Cookie storage without encryption or secure handling
Authentication cookies are saved as plaintext JSON files in xhs_cookies/. No mention of encryption-at-rest or secure deletion.
scripts/xhs_save_cookie.sh:88 Add encryption for stored cookies and warn users about file permissions
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
bin/xhs-pusher.mjs:24 execSync 文件系统 阻止
声明 NONE
→ 推断 WRITE
scripts/xhs_save_cookie.sh:90 mkdir + file write 网络访问 阻止
声明 NONE
→ 推断 READ
xhs-kit makes API calls to xiaohongshu.com 环境变量 通过
声明 NONE
→ 推断 READ
xhs-kit may read env vars for auth 可疑产物与外联
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| xhs-kit | * | pip | 否 | Not pinned - could be replaced with malicious version |
| playwright | * | pip | 否 | Not pinned |
| commander | ^11.1.0 | npm | 否 | Caret range without lock file hash |
| chalk | ^5.3.0 | npm | 否 | Caret range without lock file hash |
文件构成
12 个文件 · 2815 行
Shell 5 个文件 · 1308 行Markdown 5 个文件 · 1097 行JavaScript 1 个文件 · 373 行JSON 1 个文件 · 37 行
需关注文件 · 5
bin/xhs-pusher.mjs Shell execution not declared in SKILL.md · ~/.openclaw/workspace reference without disclosure
SKILL.md xhs-kit installed without version pinning
scripts/xhs_save_cookie.sh Cookie storage without encryption or secure handling
PUSH_GUIDE.md package.json NPM dependencies use unpinned version ranges
其他文件 · xhs_manage.sh · xhs_simple.sh · XHS_FINAL_SOLUTION.md · README.md · QUICK_START.md · push_to_github.sh +1
安全亮点
No base64-encoded payloads or obfuscation found
No direct IP connections or C2 communication patterns
No credential harvesting loops over environment variables
No curl|bash or wget|sh remote script execution
No hidden instructions in HTML comments or binary blobs
No attempts to access ~/.ssh, ~/.aws, or other credential paths
Uses a legitimate, documented automation library (xhs-kit) for a real platform