Security audit

xhs-skill-pusher

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Xiaohongshu publishing helper, but it handles session cookies and live account posting with unsafe secret-handling and command-execution patterns that need Review.

Install only if you are comfortable giving this skill access to a Xiaohongshu logged-in session. Use a test or non-critical account, avoid pasting cookies into shell commands, keep cookie files out of git/cloud sync/logs, and review or patch the scripts so secrets are redacted, files use restrictive permissions, and publish actions require explicit confirmation or dry-run first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill documentation describes file read/write behavior for managing cookie files, backups, symlinks, and imported local files, but the skill does not declare corresponding permissions. Undeclared filesystem access reduces transparency and can cause users or platforms to grant trust without understanding that sensitive local data will be read and written.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explicitly tells users to push the repository to GitHub but does not warn them to review the repository for secrets such as cookies, account data, or other sensitive files first. In the context of a skill centered on normalized cookie management and automated publishing, this omission materially increases the chance that authentication material will be committed and exposed publicly, potentially leading to account takeover or abuse.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes collecting, storing, switching, and reusing authenticated account cookies for automation, but it does not warn that these cookies are effectively bearer credentials that can grant account access if exposed. In a publishing skill tied to a real external platform account, normalizing credential storage without security guidance increases the chance of credential leakage, misuse across accounts, and unintended account compromise.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The README advertises automated and scheduled publishing to a live third-party account but does not clearly warn users that commands can cause immediate external side effects. In this context, missing safety guidance increases the risk of accidental posting, misuse of the wrong account via the active cookie mechanism, and policy or reputational harm from unintended automated actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation encourages centralized storage, activation links, import, and backup of authentication cookies, which are effectively bearer tokens for the account. If those files are exposed through weak permissions, backups, sync tools, or accidental sharing, an attacker could hijack the user's Xiaohongshu session and access or post as that account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The cookie save command accepts raw session cookies directly on the command line and interpolates them into a shell command via execSync. This exposes sensitive authentication material to shell history and process listings, and if the cookie value contains shell metacharacters it may enable command injection when passed to the shell.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The publish workflow performs authenticated posting to a real account using cookie-based identity and constructs shell commands from user-supplied title, content, tags, image paths, and scheduling data. This is dangerous because it can cause unintended account-affecting actions and also creates command-injection risk if any supplied fields contain shell-special characters.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The quick-start instructions actively facilitate automated posting to an external social-media account, including scheduled publishing, without any warning that the commands will modify a real account and make content public. In an agent skill context, this increases the risk of unintended or unauthorized actions, especially if a user or downstream automation runs the examples without understanding the consequences.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document instructs users to store, copy, back up, and restore authenticated cookie files, which are effectively bearer credentials that can enable account takeover if exposed. Although it briefly mentions permissions safety, it does not give clear operational safeguards such as restrictive file permissions, encryption at rest, exclusion from logs/version control, and secure backup handling, making accidental credential leakage more likely in this skill context.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The `info_cookie` path prints sensitive authentication material to stdout, including token-bearing fields such as `access-token-creator.xiaohongshu.com`, `a1`, `web_session`, and `customer-sso-sid`, even if truncated. Terminal output is often captured in shell history logs, CI logs, screen recordings, or remote session transcripts, so exposing live credential values can enable account takeover or session hijacking.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This script writes authentication cookies to disk in plaintext JSON without setting restrictive permissions or warning the user that these values are account credentials. In the context of an automated publishing skill, these cookies can likely be reused to hijack the associated Xiaohongshu session if another local user, process, backup system, or repository sync can access the saved files.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script converts arbitrary cookie input and writes the resulting credential material to a fixed filename, cookies.json, in the working directory. Because this happens automatically and without an explicit overwrite/consent prompt, it can silently replace an existing authenticated session file or leave sensitive credentials persisted on disk longer than the user expects.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The script extracts and displays the x-user-id-creator.xiaohongshu.com value and also enumerates it when listing cookie files. While not equivalent to a full session token, this is still account-identifying information that may leak through console logs, terminal history capture, CI logs, screen sharing, or multi-user environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal