Security audit

xiaohongshu-full-auto

Security checks across malware telemetry and agentic risk

Overview

This skill is aimed at Xiaohongshu automation, but it asks for sensitive account credentials and can auto-publish public posts without enough review safeguards or fully reviewable publishing code.

Review before installing. Use semi-auto or assist-only mode, set publish.enable to false until you have inspected the missing publish and generation modules, and treat the Xiaohongshu cookie and API keys as account secrets. Do not rely on unattended posting unless you have verified the third-party hot-topic source, account scope, rate limits, and a manual review process for every post.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The comments and variable naming imply the code is using an official or public Xiaohongshu source, but it actually sends requests to an unrelated third-party domain. This mismatch is risky because it hides a trust boundary change from reviewers and users, and the external service can return manipulated data, collect request metadata, or become a supply-chain dependency without clear disclosure.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad and likely to match ordinary user requests about Xiaohongshu creation or publishing, which can cause accidental activation of a high-impact automation workflow. Because the skill can progress toward content generation, credential use, and publishing, ambiguous invocation increases the chance of unintended actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation promotes fully automatic publishing and local record keeping without an explicit warning that these are impactful actions affecting external accounts and local storage. In this context, unintended publication can damage reputation or violate platform rules, while silent logging may expose sensitive content or account metadata on disk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to supply sensitive credentials, including a session cookie and API keys, but does not warn about the security implications of storing or exposing them. Cookies can grant direct account access, and insecure handling could lead to account takeover, unauthorized posting, or leakage through logs, config files, or prompts.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The example configuration enables automated publishing with only a minimal interval and no explicit safeguards such as account allowlists, dry-run defaults, rate limits beyond a single delay, approval gates, or content-policy checks. In a skill whose stated purpose is end-to-end Xiaohongshu automation, this broad publish configuration materially increases the chance of unintended posting, spammy behavior, platform-policy violations, or misuse at scale.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: In full-auto mode, the script can publish generated content directly to Xiaohongshu whenever config['publish']['enable'] is set, with no final user-facing confirmation or dry-run safeguard. In a skill explicitly designed for bulk automated posting, this increases the risk of accidental publication, spammy behavior, policy violations, or release of low-quality or sensitive content at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal