xiaohongshu-mcp

The skill aims to provide automated Xiaohongshu content operations via a local MCP server and a Python client. The core workflow is coherent with the stated purpose. However, the installation and distribution model relies on unverifiable binaries from GitHub releases (no checksums/signatures mentioned), and there is potential credential/session exposure through tokens and local server logs. Data flows are mostly expected but introduce an additional local component that could become a data-control/policy boundary. Overall, the footprint is suspiciously disproportionate for a development tool: a benign feature set is present, but the binary distribution and credential handling raise security concerns. Treat as SUSPICIOUS with a Leaning toward BENIGN only if provenance checks (signatures/checksums, registry-based installs) and explicit secure credential/storage practices are provided.