Security audit

Xiaohongshu Auto Posting

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Xiaohongshu automation skill that uses a logged-in browser and local workspace files, with some broad triggers users should watch for.

Install only if you are comfortable letting the agent operate a logged-in Xiaohongshu creator session, install browser-act if needed, and store account/post metadata, screenshots, drafts, comments, and analytics under the local workspace. Use explicit Xiaohongshu-scoped requests and review every publish or reply confirmation carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The standalone trigger phrases like "track performance", "see data", "settings", and "switch account" are generic enough to match ordinary user requests outside the intended Xiaohongshu workflow. This can cause the skill to activate unexpectedly and perform browser automation, account operations, or local file reads/writes without the user clearly intending to invoke this specific skill.

Vague Triggers

Low

Confidence: 90% confidence
Finding: The Phase 6 trigger description includes "similar trigger words," which creates an open-ended matching surface with no clear boundary. In an automation skill that can access browser sessions, comments, and tracking data, ambiguous triggers increase the risk of accidental activation and unintended data access or actions.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The standalone trigger phrases are generic enough to match normal conversation and can cause the skill to jump directly into tracking, comment-review, or report-generation flows without clear user confirmation. In this skill, those flows can read browser-session-backed creator data and local workspace files, so an ambiguous match could trigger unintended access to account analytics or comments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to read and update published.json tracking records in the user's working directory without a visible consent or modification warning. Silent writes to user data can corrupt records, overwrite prior metrics, or cause unauthorized persistence of operational data, especially when triggered automatically after publishing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill accesses browser-session-backed Xiaohongshu data and extracts comment content from page state without an explicit privacy notice or consent checkpoint. Because this relies on authenticated session cookies and pulls user-generated comments, it can expose private or account-linked data and enable unintended processing of third-party content if invoked unexpectedly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.