中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 0/100
Last scan:18 hr ago Rescan
0 /100
xiaohongshu-mcp-openclaw
Xiaohongshu/Rednote MCP client for keyword search, note details, comments, and login management via mcporter
This is a legitimate Xiaohongshu (Rednote) MCP client skill wrapping xpzouying/xiaohongshu-mcp via mcporter. All shell execution, file writes, and network activity are fully declared in SKILL.md. No credential theft, data exfiltration, obfuscation, or hidden functionality was found.
Skill Namexiaohongshu-mcp-openclaw
Duration58.9s
Enginepi
Safe to install
No action needed. This skill is safe to deploy.
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md:1 (metadata.requires.bins includes bash); scripts/setup.sh:59 (go insta…
Filesystem WRITE WRITE ✓ Aligned Writes to $HOME/.openclaw/{logs,state}, $GOBIN_PATH, systemd/launchd dirs — all …
Network READ READ ✓ Aligned Local MCP endpoint http://127.0.0.1:18060/mcp only; Go proxy URLs for package do…
12 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/OpenClaw-Skill-0ea5e9
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/status-ready-22c55e
README.md:4
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/MCP-HTTP-8b5cf6
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/tested-2026--03--16-64748b
README.md:6
🔗
Medium External URL 外部 URL
https://gitea.leapinfra.cn/GlitterCCCC/xiaohongshu-mcp-openclaw
README.md:10
🔗
Medium External URL 外部 URL
http://127.0.0.1:18060/mcp
README.md:12
🔗
Medium External URL 外部 URL
https://gitea.leapinfra.cn/GlitterCCCC/xiaohongshu-mcp-openclaw.git
README.md:26
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/...
README.md:263
🔗
Medium External URL 外部 URL
http://www.apple.com/DTDs/PropertyList-1.0.dtd
scripts/service_install.sh:45
🔗
Medium External URL 外部 URL
https://proxy.golang.org
scripts/setup.sh:47
🔗
Medium External URL 外部 URL
https://goproxy.cn
scripts/setup.sh:47
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/
scripts/xhs_mcp_client.py:821

File Tree

20 files · 97.4 KB · 3263 lines
Shell 15f · 1454L Python 1f · 1348L Markdown 3f · 452L JSON 1f · 9L
├─ 📁 config
│ └─ 📋 mcporter.json JSON 9L · 209 B
├─ 📁 references
│ └─ 📝 field-mapping.md Markdown 25L · 888 B
├─ 📁 scripts
│ ├─ 🔧 build_distribution.sh Shell 85L · 2.3 KB
│ ├─ 🔧 install_to_openclaw.sh Shell 60L · 1.8 KB
│ ├─ 🔧 login_doctor.sh Shell 88L · 2.9 KB
│ ├─ 🔧 login_flow.sh Shell 88L · 2.7 KB
│ ├─ 🔧 login_qr.sh Shell 353L · 9.8 KB
│ ├─ 🔧 multi_summary.sh Shell 42L · 991 B
│ ├─ 🔧 preflight.sh Shell 64L · 1.5 KB
│ ├─ 🔧 quickstart.sh Shell 51L · 1.7 KB
│ ├─ 🔧 register.sh Shell 49L · 1.7 KB
│ ├─ 🔧 service_install.sh Shell 159L · 4.0 KB
│ ├─ 🔧 service_status.sh Shell 43L · 1.0 KB
│ ├─ 🔧 service_uninstall.sh Shell 55L · 1.4 KB
│ ├─ 🔧 setup.sh Shell 86L · 2.3 KB
│ ├─ 🔧 smoke_test.sh Shell 50L · 1.5 KB
│ ├─ 🔧 start_server.sh Shell 181L · 4.9 KB
│ └─ 🐍 xhs_mcp_client.py Python 1348L · 41.8 KB
├─ 📝 README.md Markdown 305L · 9.3 KB
└─ 📝 SKILL.md Markdown 122L · 4.7 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
xiaohongshu-mcp (Go binary) latest (unpinned via GOPROXY) go install github.com/xpzouying/xiaohongshu-mcp No Version unpinned by default; XHS_MCP_VERSION env var allows pinning. Source is a known public GitHub repo.
mcporter unpinned external MCP tooling dependency No Required external tool declared in SKILL.md metadata; installed separately by the agent framework
PyYAML unpinned optional Python dependency No Gracefully optional; skill falls back to json/js-object parsing if unavailable

Security Positives

✓ All shell commands are declared in SKILL.md and serve documented purposes (setup, server start, service install)
✓ No access to sensitive paths: ~/.ssh, ~/.aws, .env, or credential stores
✓ No credential harvesting or environment variable iteration for secrets
✓ No base64, eval, or obfuscated code patterns
✓ No reverse shell, C2, or data exfiltration endpoints
✓ subprocess in xhs_mcp_client.py is used only to invoke mcporter (the intended interface)
✓ All file writes target standard agent/skills staging directories documented in SKILL.md
✓ Go dependency source is a known public GitHub repository (xpzouying/xiaohongshu-mcp)
✓ Python script uses only stdlib except optional PyYAML (gracefully handled with try/except)
✓ No hidden HTML comments, embedded payloads, or steganography
✓ service_install.sh uses OS-native service managers (launchd/systemd) with no privilege escalation beyond user-level