skill-xhs-mcp-service Security Report — Low Risk | ClawSafe

15 /100

skill-xhs-mcp-service

小红书（XHS/RED）自动化助手 — MCP 服务端提供 13 个工具：登录管理、内容获取、搜索、互动操作（点赞/收藏/评论）、用户主页获取和图文/视频发布

Legitimate Xiaohongshu automation MCP service with no malicious behavior; cookie storage is local-only, network access is limited to the official platform, and all 13 tools are fully declared in documentation.

Skill Nameskill-xhs-mcp-service

Duration61.3s

Enginepi

✓

Safe to install

Pin dependency versions in package.json (e.g., [email protected] without caret), encrypt cookies.json at rest, and consider restricting XHS_HOST from 0.0.0.0 to 127.0.0.1 for production deployments.

Findings 4 items

Severity	Finding	Location
Low	Unpinned dependency versions with caret ranges Supply Chain All dependencies in package.json use ^ version ranges (^1.0.0, ^4.18.2, ^24.0.0, ^1.5.3, ^3.22.0) without upper bounds, allowing npm to silently install newer minor/patch versions that could introduce vulnerabilities or breaking changes. `"@modelcontextprotocol/sdk": "^1.0.0",` → Pin exact versions (e.g., "@modelcontextprotocol/sdk": "1.0.0") and audit updates manually.	`package.json:27`
Low	Cookies stored in plaintext JSON file Sensitive Access Session tokens (access-token-creator, web_session, id_token, customer-sso-sid) are persisted in data/cookies.json as unencrypted plaintext, posing a risk if the filesystem is compromised. `{"name": "access-token-creator.xiaohongshu.com", "value": "customer.creator.AT-..."}` → Encrypt the cookies file at rest or use a platform credential store.	`data/cookies.json:1`
Low	Service binds to 0.0.0.0 by default Priv Escalation XHS_HOST defaults to '0.0.0.0', making the MCP service reachable on all network interfaces. Combined with no authentication on /mcp endpoints, any local network user can invoke all 13 tools. `const HOST = process.env.XHS_HOST \|\| '0.0.0.0';` → Default to '127.0.0.1' or add MCP authentication middleware.	`scripts/index.js:17`
Info	Dormant hardcoded IP in browser.js Supply Chain scripts/browser.js:59 contains a comparison against '120.0.0.0' that is never triggered (host variable is always derived from URL parsing). This appears to be an inert placeholder from pre-scan sanitization and carries no active risk. `if (host === '120.0.0.0')` → Remove the dead code branch for clarity.	`scripts/browser.js:59`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	browser.js:79-84 writes cookies.json to data/
Network	`READ`	`READ`	✓ Aligned	All HTTP requests target www.xiaohongshu.com only
Shell	`NONE`	`WRITE`	✓ Aligned	ensure-service.js:41 spawns 'node' process to start the MCP server
Environment	`NONE`	`READ`	✓ Aligned	browser.js:20 reads XHS_PROXY; index.js:17 reads XHS_PORT/XHS_HOST

1 High 8 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/browser.js:59

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com

scripts/login.js:22

🔗

Medium External URL 外部 URL

https://creator.xiaohongshu.com/publish/publish

scripts/login.js:41

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/explore/$

scripts/xhs-tools.js:44

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com$

scripts/xhs-tools.js:87

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/explore

scripts/xhs-tools.js:206

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/search_result?keyword=$

scripts/xhs-tools.js:244

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/user/profile/$

scripts/xhs-tools.js:490

File Tree

13 files · 73.7 KB · 2837 lines

JavaScript 9f · 2163L Markdown 2f · 360L JSON 2f · 314L

├─ ▾ 📁 data

│ └─ 📋 cookies.json JSON 267L · 6.3 KB

├─ ▾ 📁 references

│ └─ 📝 api.md Markdown 232L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 browser.js JavaScript 162L · 3.5 KB

│ ├─ 📜 ensure-service.js JavaScript 113L · 2.6 KB

│ ├─ 📜 index-fixed.js JavaScript 293L · 8.7 KB

│ ├─ 📜 index-progressive.js JavaScript 61L · 1.8 KB

│ ├─ 📜 index-sse.js JavaScript 215L · 5.0 KB

│ ├─ 📜 index.js JavaScript 460L · 12.3 KB

│ ├─ 📜 login.js JavaScript 100L · 2.4 KB

│ ├─ 📜 utils.js JavaScript 82L · 1.4 KB

│ └─ 📜 xhs-tools.js JavaScript 677L · 20.6 KB

├─ 📋 package.json JSON 47L · 1.1 KB

└─ 📝 SKILL.md Markdown 128L · 3.3 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`@modelcontextprotocol/sdk`	`^1.0.0`	npm	No	Version not pinned with ^ range
`express`	`^4.18.2`	npm	No	Version not pinned with ^ range
`puppeteer`	`^24.0.0`	npm	No	Version not pinned with ^ range; this is the heaviest dependency
`qrcode`	`^1.5.3`	npm	No	Version not pinned with ^ range
`zod`	`^3.22.0`	npm	No	Version not pinned with ^ range

Security Positives

✓ All 13 MCP tools are fully declared in SKILL.md with matching implementations — no hidden functionality

✓ No credential harvesting: no iteration over os.environ, no SSH/AWS config access, no .env reading

✓ No data exfiltration: all network requests are confined to www.xiaohongshu.com and creator.xiaohongshu.com

✓ No obfuscation: no base64 payloads, no eval(), no atob(), no dynamic code generation

✓ No remote script execution: no curl|bash or wget|sh patterns

✓ Cookies are stored locally only and not transmitted to any third party

✓ Uses standard, well-audited dependencies (puppeteer, express, @modelcontextprotocol/sdk)

Scan Report

Findings 4 items

File Tree

Dependencies 5 items

Security Positives