Xiaohongshu Ops Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to support real social-media account automation, but it exposes sensitive tokens and persists or mutates account data without enough user control.

Install only if you intentionally want an agent to operate a real Xiaohongshu account and retain operational notes. Review the installer before running it, do not expose the gateway token in shared terminals or logs, use preview/draft mode for posts and replies, and require explicit confirmation before any live posting, replying, or knowledge-base write.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown provides a one-click installation script that downloads and immediately executes a remote shell script from GitHub via `curl ... | bash` without any integrity verification, pinning beyond a tag, or surrounding warning to review the script first. If the remote content, transport path, or referenced source is compromised, users will execute attacker-controlled code on their machine during setup.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script reads the gateway authentication token from configuration and prints it directly to the terminal as part of normal verification output. This exposes a live credential in plaintext where it can be captured by terminal logging, screen sharing, shell history tooling, or nearby observers, enabling unauthorized access to the local OpenClaw gateway.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes automated publishing and comment-reply actions on a real social-media account without any visible warning about account bans, unintended posting, spam behavior, or the need for explicit user confirmation before account-impacting actions. In this skill context, the omission is more dangerous because the advertised core capability is direct operation of a live Xiaohongshu account, so users may treat automation as low-risk and trigger irreversible actions under an authenticated session.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The README states that users log in once via QR code and can then continue using the automated browser session without warning that the automation environment may retain authenticated cookies or session state. In a browser-automation skill, this matters because anyone with access to the automation profile or logs could potentially act as the user on Xiaohongshu until the session is revoked.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill hard-codes a platform-specific persona and writing style for all outward-facing content ('all external copy must follow persona.md') without requiring user consent or offering an override. This can cause the agent to ignore the user's requested tone, misrepresent the user's intent, and generate communications the user did not authorize, especially in posting, commenting, or private-message contexts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to persist task artifacts, conclusions, evidence, risks, and next steps into a knowledge base by default, but it does not require notifying the user or obtaining consent for retention. In an operations skill handling account analysis, content plans, comments, and posting workflows, this can silently store sensitive business data, account strategy, or user-generated material beyond the immediate task.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The template triggers are phrased as very common conversational prompts such as '你能做什么' and '有啥建议', which can match a wide range of ordinary user messages unrelated to the intended narrow scenario. In an agent skill, overly broad examples can cause unintended activation or misrouting, leading the assistant to apply this operational behavior in contexts where it should instead answer normally or ask clarifying questions.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The file instructs the agent to persist operational data into local knowledge-base files and a tracked overview document, but it does not require explicit user awareness or consent before modifying project files. In an agent setting, silent writes to local repositories can create unintended state changes, pollute working trees, and leak sensitive task context into retained artifacts.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The fallback flow explicitly tells the agent to append summaries into `knowledge-base/README.md` when normal storage fails, again without warning that this changes a version-controlled project document. This is risky because failure handling increases the chance of unexpected writes during degraded operation, when the agent may already be acting with reduced safeguards.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The file explicitly documents writing sampled analysis results into a knowledge base, but it provides no warning, confirmation step, or boundary on when persistent modification is allowed. In an agent skill, silent writes can cause unintended data persistence, contamination of shared knowledge stores, or retention of scraped third-party content without the operator realizing the skill mutates state.

Ssd 3

High

Confidence: 99% confidence
Finding: The workflow intentionally surfaces the gateway auth token in plain language output, turning a secret into user-visible console text. Because this token is then also used in subsequent example commands, accidental disclosure becomes much more likely and could let another process or person connect to the gateway and act with the user's privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal