xhs-skill-pusher 安全扫描报告 — 可疑 | ClawSafe

45 /100

xhs-skill-pusher

小红书内容发布技能 - 规范化cookie管理 + xhs-kit自动化发布

This is a Xiaohongshu content publishing skill that stores cookies locally and uses xhs-kit for automation. While not overtly malicious, it has significant doc-to-code mismatch on shell execution and undeclared behavior.

技能名称xhs-skill-pusher

分析耗时51.3s

引擎pi

⚠

谨慎使用

Before using, verify the xhs-kit source, pin dependency versions, and add explicit shell/filesystem declarations to SKILL.md

安全发现 5 项

严重性	安全发现	位置
中危	Shell execution not declared in SKILL.md 文档欺骗 SKILL.md declares all resources as NONE, but bin/xhs-pusher.mjs uses execSync() to execute shell commands (lines 24, 55, 69, 78, 90, 103, 115). Bash scripts also use subprocess. `execSync('which xhs-kit', { stdio: 'ignore' })` → Declare shell:WRITE in SKILL.md capabilities	`bin/xhs-pusher.mjs:24`
中危	xhs-kit installed without version pinning 供应链 SKILL.md and scripts use 'pip install xhs-kit' without version constraints. An attacker compromising the PyPI package could push malicious updates. `pip install xhs-kit` → Use 'pip install xhs-kit==X.Y.Z' with pinned version and hash verification	`SKILL.md:50`
中危	~/.openclaw/workspace reference without disclosure 敏感访问 The init command references copying scripts from ~/.openclaw/workspace/ but this cross-skill integration is not documented. Could access or execute code from the parent workspace. `cp ~/.openclaw/workspace/${script} scripts/` → Document workspace integration or remove this path reference	`bin/xhs-pusher.mjs:162`
低危	NPM dependencies use unpinned version ranges 供应链 package.json uses caret ranges (^11.1.0, ^5.3.0) for all dependencies. No integrity hashes in package-lock.json. `"commander": "^11.1.0"` → Pin exact versions and include package-lock.json with integrity hashes	`package.json:18`
低危	Cookie storage without encryption or secure handling 凭证窃取 Authentication cookies are saved as plaintext JSON files in xhs_cookies/. No mention of encryption-at-rest or secure deletion. `echo "$cookie_json" > "$filepath"` → Add encryption for stored cookies and warn users about file permissions	`scripts/xhs_save_cookie.sh:88`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	bin/xhs-pusher.mjs:24 execSync
文件系统	`NONE`	`WRITE`	✗ 越权	scripts/xhs_save_cookie.sh:90 mkdir + file write
网络访问	`NONE`	`READ`	✗ 越权	xhs-kit makes API calls to xiaohongshu.com
环境变量	`NONE`	`READ`	✓ 一致	xhs-kit may read env vars for auth

1 项发现

📧

提示邮箱邮箱地址

[email protected]

PUSH_GUIDE.md:47

目录结构

12 文件 · 73.4 KB · 2815 行

Shell 5f · 1308L Markdown 5f · 1097L JavaScript 1f · 373L JSON 1f · 37L

├─ ▾ 📁 bin

│ └─ 📜 xhs-pusher.mjs JavaScript 373L · 10.2 KB

├─ ▾ 📁 docs

│ ├─ 📝 QUICK_START.md Markdown 165L · 3.7 KB

│ └─ 📝 XHS_FINAL_SOLUTION.md Markdown 237L · 6.4 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 xhs_final.sh Shell 19L · 515 B

│ ├─ 🔧 xhs_manage.sh Shell 474L · 14.2 KB

│ ├─ 🔧 xhs_save_cookie.sh Shell 310L · 7.4 KB

│ └─ 🔧 xhs_simple.sh Shell 453L · 11.3 KB

├─ 📋 package.json JSON 37L · 842 B

├─ 📝 PUSH_GUIDE.md Markdown 188L · 4.5 KB

├─ 🔧 push_to_github.sh Shell 52L · 1.4 KB

├─ 📝 README.md Markdown 168L · 4.5 KB

└─ 📝 SKILL.md Markdown 339L · 8.4 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`xhs-kit`	`*`	pip	否	Not pinned - could be replaced with malicious version
`playwright`	`*`	pip	否	Not pinned
`commander`	`^11.1.0`	npm	否	Caret range without lock file hash
`chalk`	`^5.3.0`	npm	否	Caret range without lock file hash

安全亮点

✓ No base64-encoded payloads or obfuscation found

✓ No direct IP connections or C2 communication patterns

✓ No credential harvesting loops over environment variables

✓ No curl|bash or wget|sh remote script execution

✓ No hidden instructions in HTML comments or binary blobs

✓ No attempts to access ~/.ssh, ~/.aws, or other credential paths

✓ Uses a legitimate, documented automation library (xhs-kit) for a real platform