xiaohongshu-mcp
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation directs users to download platform-specific binaries (MCP server and login tools) from a third-party GitHub repository (
xpzouying/xiaohongshu-mcp). This repository is not associated with a trusted vendor or the skill author. - [REMOTE_CODE_EXECUTION]: The instructions involve downloading executable code from a remote source and running it locally. This pattern bypasses the safety of managed execution environments.
- [COMMAND_EXECUTION]: The skill provides shell commands to grant execution permissions (
chmod +x) and run the downloaded binaries. Executing unverified binaries from unknown sources is a high-risk operation that could lead to system compromise or credential theft. - [NO_CODE]: The skill references a Python script (
scripts/xhs_client.py) to handle client interactions, but this file is missing from the provided skill folder. Only the markdown documentation is present.
Recommendations
- AI detected serious security threats
Audit Metadata