RedNote Publish Auto

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Xiaohongshu publishing tool, but it handles a full account cookie and can post publicly with under-scoped safeguards.

Install only if you are comfortable giving the skill a reusable Xiaohongshu session cookie and allowing it to publish after your confirmation. Use a dedicated account, review every preview carefully, avoid API mode unless the endpoint is local and fully trusted, do not send the cookie to remote services, keep the cookie out of shared repositories, and revoke or rotate the session after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill describes capabilities to read a local cookie file, access environment data, and publish over the network, but does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: an agent/runtime may grant or execute sensitive actions without the user or platform being able to review them explicitly.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to read an authentication cookie from a local file in the user's workspace. Authentication cookies are highly sensitive bearer credentials; granting the skill file access to them increases the blast radius beyond content creation and enables account actions if mishandled, leaked, or abused.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The skill says publishing requires explicit confirmation, but it also auto-triggers on broad phrases and starts the workflow immediately. In practice this can create ambiguous consent boundaries and raise the risk of the agent progressing toward a sensitive publish action from casual conversation or mistaken activation.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script explicitly instructs users to extract and provide their full browser cookie from developer tools, which is a highly sensitive session credential. Full session cookies can enable account takeover or unauthorized publishing if leaked, reused, logged, or sent to another service, and this goes beyond normal content input for a publisher tool.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Broad trigger phrases like '发小红书' or '写一篇小红书' are likely to overlap with normal conversation, making accidental activation more likely. In a skill that can eventually read credentials and publish content, mis-triggering materially increases the chance of unintended sensitive actions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script performs the irreversible publish action immediately after initialization without an interactive confirmation, final summary approval, or strong warning. In an automation skill that can publish externally on a real account, accidental invocation, parameter mistakes, or prompt/agent misuse can result in unauthorized or unwanted public posts.

Missing User Warnings

High

Confidence: 97% confidence
Finding: In API mode, the script sends the user's authentication cookie to an HTTP API service during session initialization, with no strong user-facing warning and no enforcement of HTTPS or trusted localhost-only use. This exposes a reusable session credential to interception, misconfiguration, or compromise of the API service, potentially leading to full account abuse.

External Transmission

Medium

Category: Data Exfiltration
Content: # 初始化 session try: resp = requests.post( f"{self.api_url}/init", json={ "session_id": self.session_id,
Confidence: 93% confidence
Finding: requests.post( f"{self.api_url}/init", json=

External Transmission

Medium

Category: Data Exfiltration
Content: if post_time: payload["post_time"] = post_time resp = requests.post( f"{self.api_url}/publish/image", json=payload, timeout=120
Confidence: 84% confidence
Finding: requests.post( f"{self.api_url}/publish/image", json=

Credential Access

High

Category: Privilege Escalation
Content: python publish_xhs.py --title "标题" --desc "描述" --images cover.png card_1.png --api-mode 环境变量: 在同目录或项目根目录下创建 .env 文件，配置： # 必需：小红书 Cookie XHS_COOKIE=your_cookie_string_here
Confidence: 72% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: cookie = os.getenv('XHS_COOKIE') if not cookie: print("❌ 错误: 未找到 XHS_COOKIE 环境变量") print("请创建 .env 文件，添加以下内容：") print("XHS_COOKIE=your_cookie_string_here") print("\nCookie 获取方式：") print("1. 在浏览器中登录小红书（https://www.xiaohongshu.com）")
Confidence: 91% confidence
Finding: .env

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 小红书笔记创作技能依赖 # Markdown 处理 markdown>=3.4.0 PyYAML>=6.0 # 浏览器自动化（渲染图片）
Confidence: 94% confidence
Finding: markdown>=3.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Markdown 处理 markdown>=3.4.0 PyYAML>=6.0 # 浏览器自动化（渲染图片） playwright>=1.40.0
Confidence: 97% confidence
Finding: PyYAML>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: PyYAML>=6.0 # 浏览器自动化（渲染图片） playwright>=1.40.0 # 小红书发布 xhs>=0.4.0
Confidence: 92% confidence
Finding: playwright>=1.40.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 # 小红书发布 xhs>=0.4.0 # 环境变量管理 python-dotenv>=1.0.0
Confidence: 95% confidence
Finding: xhs>=0.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: xhs>=0.4.0 # 环境变量管理 python-dotenv>=1.0.0 # HTTP 请求（API 模式） requests>=2.28.0
Confidence: 90% confidence
Finding: python-dotenv>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-dotenv>=1.0.0 # HTTP 请求（API 模式） requests>=2.28.0
Confidence: 94% confidence
Finding: requests>=2.28.0

Known Vulnerable Dependency: markdown — 2 advisory(ies): CVE-2025-69534 (Python-Markdown has an Uncaught Exception); CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se)

High

Category: Supply Chain
Confidence: 80% confidence
Finding: markdown

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 98% confidence
Finding: PyYAML

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 74% confidence
Finding: python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 93% confidence
Finding: requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal