小红书竞品监控助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Xiaohongshu monitoring tool, but it uses stealth browser automation with persistent logged-in sessions and under-discloses those risks.

Install only after reviewing the code and platform policy risk. Use a dedicated Xiaohongshu account and dedicated browser profile, keep Chrome remote debugging local and closed when not needed, avoid cron until you have logging and cleanup in place, remove or understand the stealth dependencies, and grant Feishu/Bitable permissions narrowly if you enable them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation indicates use of environment variables and shell commands, but the manifest does not clearly declare corresponding permissions or capabilities. This weakens transparency and consent, making it easier for users or hosting platforms to underestimate what the skill can access or execute.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose under-describes materially sensitive behavior: browser automation, manual login/session reuse, persistent local browser profile storage, and opening a remote debugging port. These behaviors increase risk because they expose authenticated session material and local browser control beyond what a user would reasonably infer from the description.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest advertises writing to a data dashboard, while the documentation says multidimensional-table writing is optional or not yet implemented. This inconsistency is security-relevant because users cannot accurately assess what data will be transmitted or which integrations will be activated.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The feature list claims data-board writing exists, but the roadmap says it is still pending. Conflicting statements about data export behavior can mislead users about where scraped content goes, creating consent and data-handling risks.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file explicitly uses puppeteer-extra with a stealth plugin and 'humanized' timing/scrolling to evade platform anti-bot controls, which goes beyond ordinary browser automation for monitoring public content. In context, this enables deceptive scraping behavior that can bypass platform restrictions and facilitate unauthorized collection at scale.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code combines stealth automation with randomized delays, scrolling, selector fallbacks, and simulated typing specifically to mimic a human user and reduce detection. That materially increases the capability to circumvent platform defenses, making the scraper more dangerous than a straightforward monitoring tool.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Persisting a full Chrome user-data directory can store cookies, session tokens, browsing history, and other sensitive artifacts on disk. If that directory is reused, exposed, or insufficiently protected, it can lead to credential leakage, unintended session persistence, and privacy/security issues unrelated to the stated monitoring purpose.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill does not prominently warn that it collects account content, stores local history, reuses an authenticated browser session, and may send extracted data to Feishu or bitable. In this context, omission is risky because the tool handles scraped content and authenticated session state, which users should explicitly consent to before setup.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code stores a persistent Chrome profile under a local user data directory, which will retain cookies, authentication tokens, and browsing state after the process exits. In this skill's context, the browser is explicitly used for manual login to Xiaohongshu, so persistent session artifacts are expected and could expose the user's account if the host filesystem is shared, backed up insecurely, or later accessed by other processes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script persists both browser session state via a fixed userDataDir and scraped note results via notes.json without any explicit notice, consent flow, retention policy, or access controls. In this skill’s context, the stored browser profile may contain authenticated cookies and other sensitive session artifacts, so local compromise or unintended reuse could expose the user’s Xiaohongshu account and collected competitor data.

Session Persistence

Medium

Category: Rogue Agent
Content: 编辑 crontab： ```bash crontab -e # 添加以下行： 6 14 * * * /usr/bin/node /path/to/xhs-monitor/src/main.js
Confidence: 72% confidence
Finding: crontab -e

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal