Security audit

小红书笔记抓取与选题助手

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Xiaohongshu scraping helper, but it asks for sensitive cookies or tokens and includes broad authenticated API and logged-in search behavior that is not tightly bounded by its narrow description.

Install only if you are comfortable running a scraping tool with your own Xiaohongshu cookies or API tokens. Use short-lived, low-privilege credentials, avoid full personal browser cookies when possible, do not use the generic API mode with untrusted URLs, and keep outputs private because they may contain account-accessible or third-party content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation clearly describes capabilities to read local files, write outputs, and perform network requests, yet no explicit permissions are declared. This creates a transparency and governance gap: operators may approve a seemingly simple note-fetcher without realizing it can access local credential files, send authenticated requests, and persist collected data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated purpose is note extraction from user-provided Xiaohongshu URLs, but the documented behavior expands into keyword search, bulk collection, ranking, template generation, generic API querying, and browser automation. This mismatch is security-relevant because users and platform reviewers may grant trust or credentials under a narrower premise than what the skill can actually do.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The publishing notes advertise capabilities that go beyond the declared skill scope: keyword-based search scraping, threshold filtering, and multi-format export, whereas the manifest describes note-URL-based public page extraction. This scope mismatch is security-relevant because hidden or undocumented behaviors make user consent, policy review, and downstream enforcement unreliable, especially for a scraping skill that may access broader datasets than expected.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation broadens the tool from simple note-by-URL extraction into keyword-based search workflows. Even if not overtly malicious, that scope expansion increases collection breadth and changes the data-access model from targeted retrieval to discovery and enumeration, which should be disclosed and controlled separately.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The generic API adapter allows authenticated requests to arbitrary third-party endpoints, which is far beyond a Xiaohongshu note fetcher. In practice, this can turn the skill into a general-purpose authenticated HTTP client, increasing the risk of credential misuse, unintended data exfiltration, or use against unrelated services.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: A generic authenticated API client is unjustified in the context of a narrowly described note-fetching skill, especially when users are instructed to provide tokens and custom headers. This materially increases danger because it enables credentialed requests to arbitrary services under the cover of a benign scraping tool.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script's behavior materially differs from the manifest: instead of extracting data from user-supplied public note URLs, it performs keyword-based discovery of Xiaohongshu content and builds a list of 'hot' notes. This expands the skill from targeted extraction into account-assisted content discovery/collection, which is a scope change that can enable unauthorized bulk gathering and surprise users or operators about what the skill actually does.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script requires a logged-in cookie file, injects those cookies into a browser context, and verifies login state before scraping search results. Using user account cookies for a capability not described in the manifest increases the risk of credential misuse, unintended access via the user's session, and collection of content only available through authenticated browsing rather than truly public-page extraction.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script does not implement a Xiaohongshu-specific note fetcher; instead it lets callers send arbitrary keyword searches to any endpoint supplied at runtime. In an agent skill, that mismatch creates an undeclared network primitive that can be repurposed for unintended outbound requests, data brokerage, or policy bypass under the cover of a benign scraping tool.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This code exposes a generic HTTP client capability by allowing user-controlled base URL, auth header, auth mode, arbitrary headers, and arbitrary query parameters. In an agent environment, that is dangerous because it can be abused as an SSRF/open-proxy primitive to contact unexpected services, attach attacker-chosen credentials, and exfiltrate data while appearing to be a Xiaohongshu utility.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The module docstring and CLI help describe a Xiaohongshu note-search tool, but the actual implementation is a generic custom API caller. That deceptive packaging materially increases risk in a skill ecosystem because reviewers and users may grant permissions or trust assumptions based on the declared purpose while the code provides broader network functionality.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The implemented behavior performs keyword-based Xiaohongshu search against TikHub search endpoints, which does not match the declared skill purpose of fetching and structuring data from user-provided note URLs. This mismatch is security-relevant because it can cause users or higher-level agents to send broad search queries and receive unrelated third-party data, violating least surprise and potentially broadening data collection beyond the user's intended scope.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill asks users to supply Cookie strings, Cookie files, and API tokens, but does not clearly warn that these are sensitive session credentials that can expose account access and personal data. In a scraping context, this omission is dangerous because users may paste live browser cookies or long-lived tokens without understanding the risk of leakage, reuse, or over-collection.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal