follow-xhs

Security checks across malware telemetry and agentic risk

Overview

This skill is an unofficial Xiaohongshu search helper, but it ships account-session data and uses under-disclosed authenticated browser-emulation behavior that users should review carefully.

Review before installing. Delete the bundled web_session value, rotate it if it belongs to you, and do not paste a primary-account cookie into chat unless you accept account-linked automated Xiaohongshu requests. Prefer a separate low-risk account, pin dependencies, avoid untrusted proxies, and expect platform rate limits or verification because the tool uses unofficial browser-style request signing and fingerprinting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (29)

eval() call detected

High

Category: Dangerous Code Execution
Content: """ 获取配置项的通用方法 """ return eval(self.config.get(section, key, fallback=fallback)) # 单例模式 xhs_config = Config()
Confidence: 99% confidence
Finding: return eval(self.config.get(section, key, fallback=fallback))

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill exposes effective capabilities for file read/write and network access without declaring permissions, which prevents users or reviewers from understanding its true access scope. Hidden or undeclared capabilities are dangerous because they can be used to exfiltrate local data, persist session tokens, or modify configuration unexpectedly, especially when combined with the behavior mismatch noted elsewhere.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The described behavior goes well beyond simple note search and retrieval: it includes browser fingerprint spoofing, generation of anti-bot headers/cookies, acquisition of risk-control session parameters, automatic session establishment, and retry logic for CAPTCHA or slider challenges. In this context, the mismatch strongly suggests deliberate evasion of platform security controls and covert handling of authentication/session material, which can facilitate unauthorized access, account abuse, and stealthy scraping while concealing the true risk from users.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The method advertises server results filtered by publish time, but when filtering is enabled it returns the original unmodified aiohttp response. This creates a security-relevant integrity issue: downstream callers may trust the function contract and make decisions on stale or out-of-scope content, which can bypass policy, monitoring, or automation constraints based on recency.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This code explicitly fabricates a large synthetic browser fingerprint and anti-detection signals, including webdriver evasion, fake hardware characteristics, storage capability flags, and environment-consistency fields. In the context of a Xiaohongshu search/content-fetch skill, this goes beyond ordinary request generation and is reasonably interpreted as stealth automation meant to bypass platform bot detection and access controls.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The session initialization performs automatic login via auth.scan_login() when sid and did are present, which exceeds the declared scope of a search/content retrieval tool. This is dangerous because it introduces account-bound behavior and authentication side effects, increasing the risk of unauthorized account actions, credential misuse, or policy-violating automation if the skill is invoked in environments that only expect passive retrieval.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The retry path automatically handles NeedScanLogin by calling pass_scan_124 and then resubmitting the original request, effectively implementing QR-based verification bypass/automation. This is dangerous because it turns a content-fetching session into an anti-abuse circumvention mechanism, enabling repeated automated access using account/session artifacts without clear user awareness or scope limitation.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: This code handles anti-bot and authentication challenges by programmatically supplying sid, did, verifyUuid, and related values to pass a scan verification flow. In the context of a search tool, that is risky because it operationalizes account-based access and challenge handling beyond ordinary content retrieval, which can facilitate evasion of platform protections and unauthorized automated activity.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill states it runs completely locally, but the documented workflow performs live requests to Xiaohongshu and optionally routes them through a user-supplied proxy. This is a misleading trust boundary claim: users may disclose credentials or approve execution under the false assumption that no external network activity occurs.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: The onboarding flow directs automatic `pip install` of packages during skill execution. Installing code from package repositories at runtime expands the attack surface, can execute unreviewed setup/install hooks, and is unnecessary for a safe-by-default skill without explicit user approval.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs users to manually extract and place a live `web_session` login cookie into a local config file, but it does not clearly warn that this cookie is an authentication secret equivalent to account access. That increases the chance users will mishandle it, commit it to source control, share logs/configs, or expose it through AI tooling, which could enable account takeover or unauthorized access to personal data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code packages browser/device fingerprint data into request parameters for a network call to a remote Xiaohongshu endpoint, with no indication of notice, consent, minimization, or gating at this layer. In the context of a scraping/search skill, fingerprint collection and transmission can enable covert tracking, device correlation, or anti-bot evasion, making the behavior privacy-relevant and security-sensitive even though the code itself is not overtly destructive.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The generator serializes all provided cookies into the fingerprint payload, which can expose session identifiers, auth tokens, and other sensitive state to downstream code or external services. Combining cookies with a synthetic fingerprint also increases tracking and account-takeover risk if logs, telemetry, or third-party endpoints receive this payload.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The update routine re-injects the full cookie string into the mutable fingerprint object, perpetuating exposure of sensitive session data across requests and increasing the chance of leakage through logging, persistence, or unintended transmission. Because this occurs during refresh/update flows, the sensitive data may spread widely through normal operation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The update path writes the entire configuration object to disk, which can include sensitive cookie material such as web_session. Persisting authentication tokens in plaintext without warning, minimization, or protection increases the risk of credential theft from local file disclosure, backups, logs, or other processes on the same system.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The session setup performs several outbound requests while attaching cookies, generated identifiers, and fingerprint-related values, but there is no user-facing disclosure or consent mechanism in this file. That is dangerous because users or integrators may believe the tool only performs simple search requests, while it actually establishes tracking/session state and communicates persistent identifiers to remote services, creating privacy, compliance, and account-risk concerns.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill asks the user to provide a `web_session` login credential and save it locally without clearly warning that it is a sensitive authentication token. Soliciting and storing session credentials increases the risk of account takeover, unintended reuse, leakage through logs/files, and misuse by the agent or other local processes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill mandates an immediate search test after onboarding using the user's credential, triggering live requests without a separate explicit opt-in. This can surprise users, expose account activity, consume rate limits, and increase the chance of credential misuse or platform security triggers before the user has reviewed the consequences.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to collect and persist the user's login session token for later reuse. Persistent storage of reusable session credentials creates a durable compromise point: if the config file, logs, backups, or host are accessed, the attacker may be able to impersonate the user account.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The report flow aggregates full note text, author identifiers, note IDs, and direct links into one downstream prompt. Bundling this data for model processing can create privacy and data-minimization issues, especially if prompts are logged, retained, or sent to external model providers, and it may exceed what is necessary for summary generation.

Unpinned Dependencies

Low

Category: Supply Chain
Content: aiohttp loguru pycryptodome getuseragent
Confidence: 98% confidence
Finding: aiohttp

Unpinned Dependencies

Low

Category: Supply Chain
Content: aiohttp loguru pycryptodome getuseragent pydantic
Confidence: 95% confidence
Finding: loguru

Unpinned Dependencies

Low

Category: Supply Chain
Content: aiohttp loguru pycryptodome getuseragent pydantic
Confidence: 98% confidence
Finding: pycryptodome

Unpinned Dependencies

Low

Category: Supply Chain
Content: aiohttp loguru pycryptodome getuseragent pydantic
Confidence: 90% confidence
Finding: getuseragent

Unpinned Dependencies

Low

Category: Supply Chain
Content: loguru pycryptodome getuseragent pydantic
Confidence: 97% confidence
Finding: pydantic

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal