skill-xhs-mcp-service 安全扫描报告 — 低风险 | ClawSafe

15 /100

skill-xhs-mcp-service

小红书（XHS/RED）自动化助手 — MCP 服务端提供 13 个工具：登录管理、内容获取、搜索、互动操作（点赞/收藏/评论）、用户主页获取和图文/视频发布

Legitimate Xiaohongshu automation MCP service with no malicious behavior; cookie storage is local-only, network access is limited to the official platform, and all 13 tools are fully declared in documentation.

技能名称skill-xhs-mcp-service

分析耗时61.3s

引擎pi

✓

可以安装

Pin dependency versions in package.json (e.g., [email protected] without caret), encrypt cookies.json at rest, and consider restricting XHS_HOST from 0.0.0.0 to 127.0.0.1 for production deployments.

安全发现 4 项

严重性	安全发现	位置
低危	Unpinned dependency versions with caret ranges 供应链 All dependencies in package.json use ^ version ranges (^1.0.0, ^4.18.2, ^24.0.0, ^1.5.3, ^3.22.0) without upper bounds, allowing npm to silently install newer minor/patch versions that could introduce vulnerabilities or breaking changes. `"@modelcontextprotocol/sdk": "^1.0.0",` → Pin exact versions (e.g., "@modelcontextprotocol/sdk": "1.0.0") and audit updates manually.	`package.json:27`
低危	Cookies stored in plaintext JSON file 敏感访问 Session tokens (access-token-creator, web_session, id_token, customer-sso-sid) are persisted in data/cookies.json as unencrypted plaintext, posing a risk if the filesystem is compromised. `{"name": "access-token-creator.xiaohongshu.com", "value": "customer.creator.AT-..."}` → Encrypt the cookies file at rest or use a platform credential store.	`data/cookies.json:1`
低危	Service binds to 0.0.0.0 by default 权限提升 XHS_HOST defaults to '0.0.0.0', making the MCP service reachable on all network interfaces. Combined with no authentication on /mcp endpoints, any local network user can invoke all 13 tools. `const HOST = process.env.XHS_HOST \|\| '0.0.0.0';` → Default to '127.0.0.1' or add MCP authentication middleware.	`scripts/index.js:17`
提示	Dormant hardcoded IP in browser.js 供应链 scripts/browser.js:59 contains a comparison against '120.0.0.0' that is never triggered (host variable is always derived from URL parsing). This appears to be an inert placeholder from pre-scan sanitization and carries no active risk. `if (host === '120.0.0.0')` → Remove the dead code branch for clarity.	`scripts/browser.js:59`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	browser.js:79-84 writes cookies.json to data/
网络访问	`READ`	`READ`	✓ 一致	All HTTP requests target www.xiaohongshu.com only
命令执行	`NONE`	`WRITE`	✓ 一致	ensure-service.js:41 spawns 'node' process to start the MCP server
环境变量	`NONE`	`READ`	✓ 一致	browser.js:20 reads XHS_PROXY; index.js:17 reads XHS_PORT/XHS_HOST

1 高危 8 项发现

📡

高危 IP 地址硬编码 IP 地址

120.0.0.0

scripts/browser.js:59

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com

scripts/login.js:22

🔗

中危外部 URL 外部 URL

https://creator.xiaohongshu.com/publish/publish

scripts/login.js:41

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/$

scripts/xhs-tools.js:44

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com$

scripts/xhs-tools.js:87

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore

scripts/xhs-tools.js:206

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/search_result?keyword=$

scripts/xhs-tools.js:244

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/user/profile/$

scripts/xhs-tools.js:490

目录结构

13 文件 · 73.7 KB · 2837 行

JavaScript 9f · 2163L Markdown 2f · 360L JSON 2f · 314L

├─ ▾ 📁 data

│ └─ 📋 cookies.json JSON 267L · 6.3 KB

├─ ▾ 📁 references

│ └─ 📝 api.md Markdown 232L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 browser.js JavaScript 162L · 3.5 KB

│ ├─ 📜 ensure-service.js JavaScript 113L · 2.6 KB

│ ├─ 📜 index-fixed.js JavaScript 293L · 8.7 KB

│ ├─ 📜 index-progressive.js JavaScript 61L · 1.8 KB

│ ├─ 📜 index-sse.js JavaScript 215L · 5.0 KB

│ ├─ 📜 index.js JavaScript 460L · 12.3 KB

│ ├─ 📜 login.js JavaScript 100L · 2.4 KB

│ ├─ 📜 utils.js JavaScript 82L · 1.4 KB

│ └─ 📜 xhs-tools.js JavaScript 677L · 20.6 KB

├─ 📋 package.json JSON 47L · 1.1 KB

└─ 📝 SKILL.md Markdown 128L · 3.3 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`@modelcontextprotocol/sdk`	`^1.0.0`	npm	否	Version not pinned with ^ range
`express`	`^4.18.2`	npm	否	Version not pinned with ^ range
`puppeteer`	`^24.0.0`	npm	否	Version not pinned with ^ range; this is the heaviest dependency
`qrcode`	`^1.5.3`	npm	否	Version not pinned with ^ range
`zod`	`^3.22.0`	npm	否	Version not pinned with ^ range

安全亮点

✓ All 13 MCP tools are fully declared in SKILL.md with matching implementations — no hidden functionality

✓ No credential harvesting: no iteration over os.environ, no SSH/AWS config access, no .env reading

✓ No data exfiltration: all network requests are confined to www.xiaohongshu.com and creator.xiaohongshu.com

✓ No obfuscation: no base64 payloads, no eval(), no atob(), no dynamic code generation

✓ No remote script execution: no curl|bash or wget|sh patterns

✓ Cookies are stored locally only and not transmitted to any third party

✓ Uses standard, well-audited dependencies (puppeteer, express, @modelcontextprotocol/sdk)