扫描报告
0 /100
xiaohongshu-mcp-openclaw
Xiaohongshu/Rednote MCP client for keyword search, note details, comments, and login management via mcporter
This is a legitimate Xiaohongshu (Rednote) MCP client skill wrapping xpzouying/xiaohongshu-mcp via mcporter. All shell execution, file writes, and network activity are fully declared in SKILL.md. No credential theft, data exfiltration, obfuscation, or hidden functionality was found.
可以安装
No action needed. This skill is safe to deploy.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md:1 (metadata.requires.bins includes bash); scripts/setup.sh:59 (go insta… |
| 文件系统 | WRITE | WRITE | ✓ 一致 | Writes to $HOME/.openclaw/{logs,state}, $GOBIN_PATH, systemd/launchd dirs — all … |
| 网络访问 | READ | READ | ✓ 一致 | Local MCP endpoint http://127.0.0.1:18060/mcp only; Go proxy URLs for package do… |
12 项发现
中危 外部 URL 外部 URL
https://img.shields.io/badge/OpenClaw-Skill-0ea5e9 README.md:3 中危 外部 URL 外部 URL
https://img.shields.io/badge/status-ready-22c55e README.md:4 中危 外部 URL 外部 URL
https://img.shields.io/badge/MCP-HTTP-8b5cf6 README.md:5 中危 外部 URL 外部 URL
https://img.shields.io/badge/tested-2026--03--16-64748b README.md:6 中危 外部 URL 外部 URL
https://gitea.leapinfra.cn/GlitterCCCC/xiaohongshu-mcp-openclaw README.md:10 中危 外部 URL 外部 URL
http://127.0.0.1:18060/mcp README.md:12 中危 外部 URL 外部 URL
https://gitea.leapinfra.cn/GlitterCCCC/xiaohongshu-mcp-openclaw.git README.md:26 中危 外部 URL 外部 URL
https://www.xiaohongshu.com/explore/... README.md:263 中危 外部 URL 外部 URL
http://www.apple.com/DTDs/PropertyList-1.0.dtd scripts/service_install.sh:45 中危 外部 URL 外部 URL
https://proxy.golang.org scripts/setup.sh:47 中危 外部 URL 外部 URL
https://goproxy.cn scripts/setup.sh:47 中危 外部 URL 外部 URL
https://www.xiaohongshu.com/explore/ scripts/xhs_mcp_client.py:821 目录结构
20 文件 · 97.4 KB · 3263 行 Shell 15f · 1454L
Python 1f · 1348L
Markdown 3f · 452L
JSON 1f · 9L
├─
▾
config
│ └─
mcporter.json
JSON
├─
▾
references
│ └─
field-mapping.md
Markdown
├─
▾
scripts
│ ├─
build_distribution.sh
Shell
│ ├─
install_to_openclaw.sh
Shell
│ ├─
login_doctor.sh
Shell
│ ├─
login_flow.sh
Shell
│ ├─
login_qr.sh
Shell
│ ├─
multi_summary.sh
Shell
│ ├─
preflight.sh
Shell
│ ├─
quickstart.sh
Shell
│ ├─
register.sh
Shell
│ ├─
service_install.sh
Shell
│ ├─
service_status.sh
Shell
│ ├─
service_uninstall.sh
Shell
│ ├─
setup.sh
Shell
│ ├─
smoke_test.sh
Shell
│ ├─
start_server.sh
Shell
│ └─
xhs_mcp_client.py
Python
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 3 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
xiaohongshu-mcp (Go binary) | latest (unpinned via GOPROXY) | go install github.com/xpzouying/xiaohongshu-mcp | 否 | Version unpinned by default; XHS_MCP_VERSION env var allows pinning. Source is a known public GitHub repo. |
mcporter | unpinned | external MCP tooling dependency | 否 | Required external tool declared in SKILL.md metadata; installed separately by the agent framework |
PyYAML | unpinned | optional Python dependency | 否 | Gracefully optional; skill falls back to json/js-object parsing if unavailable |
安全亮点
✓ All shell commands are declared in SKILL.md and serve documented purposes (setup, server start, service install)
✓ No access to sensitive paths: ~/.ssh, ~/.aws, .env, or credential stores
✓ No credential harvesting or environment variable iteration for secrets
✓ No base64, eval, or obfuscated code patterns
✓ No reverse shell, C2, or data exfiltration endpoints
✓ subprocess in xhs_mcp_client.py is used only to invoke mcporter (the intended interface)
✓ All file writes target standard agent/skills staging directories documented in SKILL.md
✓ Go dependency source is a known public GitHub repository (xpzouying/xiaohongshu-mcp)
✓ Python script uses only stdlib except optional PyYAML (gracefully handled with try/except)
✓ No hidden HTML comments, embedded payloads, or steganography
✓ service_install.sh uses OS-native service managers (launchd/systemd) with no privilege escalation beyond user-level