100Critical
The skill executes arbitrary commands, accesses user files,
Behavior Analysis
Mismatch detected — The skill claims to be an 'all-round operation assistant' with features like competitor analysis, data review, and interactive operations, but the provided technical details and code snippets only implement the content publishing functionality. The other claimed features lack any implementation.
Claims to do
小红书全链路运营技能 v2.0: 🦞 **小红书全能运营助手** - 已验证可用于 macOS + OpenClaw
Actually does
The skill uses a built-in browser automation tool to navigate to `https://creator.xiaohongshu.com/publish/publish`. It copies an image from the user's desktop to `/tmp/openclaw/uploads/`, uploads it, types a title and body content into specific input fields via DOM manipulation, and then clicks a publish button.
Skill Info
Namerichardx0319/xiaohongshu-all-in-one
Registryclawhub
Version2.0.0
PURLpkg:clawhub/richardx0319/xiaohongshu-all-in-one@2.0.0
Stars6
Downloads4,147
Installs24
Source
SHA-256a1f6bc7a1a68...
SHA-11f42bc999603...
MD5aaabe8dc2071...
TLSHce51a53edb94...
Size3,159 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install richardx0319/xiaohongshu-all-in-oneAssessments (4)
AI Agent Traps ↗Prompt Injection Detectedcriticalprompt injection
DeBERTa classifier detected prompt injection (confidence: 0.99)
99% confidence
File System Access and Shell Command Executionhighcommand execution
The skill executes a shell command (`cp`) to copy files from the user's Desktop directory (`~/Desktop/图片.jpg`) to a temporary directory. This demonstrates the capability for arbitrary command execution and access to user's home directory, which could be abused if the paths were user-controlled.
80% confidenceline 40
cp ~/Desktop/图片.jpg /tmp/openclaw/uploads/
Hardcoded File System Path for Uploadslowreconnaissance
The skill hardcodes a specific filesystem path (/tmp/openclaw/uploads) and instructs the agent to copy files from the user's Desktop to that path. This establishes a predictable staging directory that could be leveraged to access or stage arbitrary files from the user's system.
65% confidenceline 40
cp ~/Desktop/图片.jpg /tmp/openclaw/uploads/
Credential Exposure Risk via Authenticated Browser Sessionmediumcredential theft
The skill operates within an authenticated browser profile ('openclaw') with persistent login state for xiaohongshu. Combined with the evaluate/JavaScript execution capability, an attacker-modified version of this skill could trivially harvest session cookies or tokens from the authenticated session.
60% confidenceline 80
profile="openclaw" ... 首次使用需扫码登录小红书
Direct DOM Manipulation Bypasses Platform Controlsmediumtool poisoning
The skill explicitly recommends using evaluate (JavaScript DOM manipulation) instead of standard UI interactions to bypass platform input handling. This technique is used to circumvent anti-automation measures and could be used to inject content that bypasses client-side validation or content filters.
70% confidenceline 58
browser.act(kind="evaluate", fn=...) // 推荐 evaluate ... Q: 标题写到正文里了? A: 用 evaluate 方式直接操作 DOM 更可靠
Semantic Manipulation via Persona and Trust Indicatorslowpersona manipulation
The skill defines a specific '傲娇嘴硬型' persona ('虾薯——一只住在 MacBook 里的电子宠物') to influence user interaction. Additionally, it uses phrases like 'macOS验证版 v2.0' and '验证日期:2026-03-15' to imply legitimacy and reduce user scrutiny, which are common oversight evasion tactics.
80% confidenceline 2
Persona(运营人设)... 身份:虾薯... 语气:傲娇嘴硬型... description: "...(macOS验证版 v2.0)"... 验证日期:2026-03-15
Description Mismatchmediumdescription mismatch
The skill claims to be an 'all-round operation assistant' with features like competitor analysis, data review, and interactive operations, but the provided technical details and code snippets only implement the content publishing functionality. The other claimed features lack any implementation.
85% confidence
The '技术细节' (Technical Details) section only contains a '发布流程' (Publishing process) subsection, with no corresponding implementation for '竞品分析' (Competitor Analysis), '数据复盘' (Data Review), or '互动运营' (Interactive Operations) despite them being listed in '功能概览' (Feature Overview).
Unbounded Retry/Automation Patternlowautonomy abuse
The skill describes automated posting with retry logic and rate-limiting guidance (30-second intervals), enabling autonomous repetitive actions on a social media platform without explicit per-action human confirmation. This could facilitate spam, coordinated inauthentic behavior, or platform abuse at scale.
55% confidenceline 80
连续 2 次失败后改稳健路径 ... 每步最多重试 1 次 ... 发布间隔建议 30 秒以上
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/richardx0319/xiaohongshu-all-in-one)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/richardx0319/xiaohongshu-all-in-one"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/richardx0319/xiaohongshu-all-in-one.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/richardx0319/xiaohongshu-all-in-one.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow