Xiaohongshu Post (Browser Auto)

Security checks across malware telemetry and agentic risk

Overview

This is a real Xiaohongshu posting tool, but browser mode can expose logged-in page contents to an external model and publish automatically from a persistent account session.

Review before installing. Prefer draft mode or API mode where possible. If using browser mode, use a dedicated Xiaohongshu account, prefer a local or trusted analyzer endpoint, avoid debug/step capture on sensitive sessions, and protect or delete the persistent browser profile when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill documents access to environment variables, local files, browser automation, and external network endpoints, but does not declare corresponding permissions. This creates a transparency and consent gap: an agent or user may invoke the skill without understanding that it can read secrets, access page HTML containing session data, write browser state, and transmit data to third-party APIs.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script launches a persistent browser context with both clipboard-read and clipboard-write permissions even though the publishing workflow shown here does not require clipboard access. Granting unnecessary clipboard permissions violates least privilege and can expose sensitive clipboard contents from the user's desktop session or allow silent overwriting of clipboard data if the automated page or a compromised site abuses those permissions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code collects the current page URL and HTML, sanitizes only a small set of token-like patterns, and then sends that content to an OpenAI-compatible remote endpoint by default. Page HTML can still contain personal data, session-linked identifiers, unpublished post content, or other sensitive business information, so transmitting it off-box without an explicit user consent or a strict local-only default creates a real privacy and data-exfiltration risk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The automation proceeds to click the final 发布 button and even handles follow-up confirmation dialogs without any explicit user confirmation gate immediately before the irreversible publish action. In a posting skill, this is risky because bad prompts, page-state misclassification, or injected content could cause unintended public publication from a real personal account.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The browser context is granted clipboard read/write permissions without any warning, consent, or clear operational need disclosed to the user. Even if not actively used by this file, the permission broadens what automated pages can access, creating avoidable privacy risk in a tool that already operates on an authenticated social-media session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal