Rednote Mac

Security checks across malware telemetry and agentic risk

Overview

This RedNote automation skill is not clearly malicious, but it needs Review because it can control a live social account and Mac UI, send/post/delete content, and capture screens without strong built-in confirmations.

Install only if you are comfortable giving Terminal system-wide Accessibility control and letting an agent operate your live RedNote account. Keep tool approval enabled, verify the visible target before sending DMs, posting or replying to comments, following accounts, or deleting comments, and avoid unattended runs. Treat screenshots and clipboard use as sensitive, consider a dedicated macOS/RedNote account, and do not permanently disable your screensaver or screen lock.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (32)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: b = get_window_bounds() if not b: return None r = subprocess.run( ["/usr/sbin/screencapture", "-x", f"-l{b['id']}", path], capture_output=True) return path if r.returncode == 0 else None
Confidence: 84% confidence
Finding: r = subprocess.run( ["/usr/sbin/screencapture", "-x", f"-l{b['id']}", path], capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def type_text(text: str, delay: float = 0.4): """输入文字 — 用剪贴板粘贴，避免中文输入法问题""" # 1. 把文字写入剪贴板 subprocess.run(["pbcopy"], input=text.encode("utf-8")) time.sleep(0.1) # 2. Cmd+V 粘贴 subprocess.run(["osascript", "-e",
Confidence: 95% confidence
Finding: subprocess.run(["pbcopy"], input=text.encode("utf-8"))

subprocess module call

Medium

Category: Dangerous Code Execution
Content: IMG_W, IMG_H = 708, 736 # 先清空剪贴板 subprocess.run(["pbcopy"], input=b"") # 1. 点击底部「分享」按钮（截图坐标约 505, 688） share_x = int(b["x"] + 505 * b["w"] / IMG_W)
Confidence: 94% confidence
Finding: subprocess.run(["pbcopy"], input=b"")

subprocess module call

Medium

Category: Dangerous Code Execution
Content: click_global(copy_x, copy_y, delay=1.0) # 3. 读剪贴板 result = subprocess.run(["pbpaste"], capture_output=True, text=True) raw = result.stdout.strip() # 提取 URL（格式：文字 + URL + 文字）
Confidence: 93% confidence
Finding: result = subprocess.run(["pbpaste"], capture_output=True, text=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: out_path = "/tmp/xhs_imgs/note_img_0.png" if note_type == "video": # 全窗口截图 subprocess.run(["/usr/sbin/screencapture", "-x", f"-l{b['id']}", out_path]) else: # 图片在左侧 ~45%
Confidence: 86% confidence
Finding: subprocess.run(["/usr/sbin/screencapture", "-x", f"-l{b['id']}", out_path])

subprocess module call

Medium

Category: Dangerous Code Execution
Content: y = int(b["y"] + 28) w = int(b["w"] * 0.47) h = int(b["h"] - 28 - 87) subprocess.run(["/usr/sbin/screencapture", "-x", "-R", f"{x},{y},{w},{h}", out_path]) return [out_path] if os.path.exists(out_path) else []
Confidence: 86% confidence
Finding: subprocess.run(["/usr/sbin/screencapture", "-x", "-R", f"{x},{y},{w},{h}", out_path])

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ytdlp = shutil.which("yt-dlp") or "yt-dlp" cmd = [ytdlp, "-o", f"{output_dir}/%(id)s.%(ext)s", "--write-info-json", "--no-playlist", url] r = subprocess.run(cmd, capture_output=True, text=True, timeout=120) # 找下载的视频文件 for ext in ("mp4", "mov", "webm", "flv", "m4v"): files = glob.glob(f"{output_dir}/*.{ext}")
Confidence: 90% confidence
Finding: r = subprocess.run(cmd, capture_output=True, text=True, timeout=120)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill description understates the breadth of actions it can perform. In context, a macOS Accessibility-driven app controller with DM access, comment deletion, follower-list reading, and possible media download/inspection can access and manipulate sensitive in-app content beyond the narrow summary presented to users, which undermines informed consent and increases the chance of misuse.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documentation advises users to disable the macOS screensaver and keep the app visible as a workaround, which weakens host-level security beyond what is necessary for controlling a single app via Accessibility APIs. Because this change affects the whole system and can persist beyond the task, it increases the risk of unattended-session exposure and broadens impact if the workstation is left unlocked.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill exposes a broad set of account-interaction actions—liking, collecting, following, posting/replying/deleting comments, opening DMs, and sending DMs—beyond the stated purpose of reading/replying to comments, sending DMs, and getting stats. In an agent setting, this scope expansion is dangerous because it enables unsolicited social actions and destructive account activity through macOS Accessibility automation without clear user awareness or least-privilege boundaries.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The delete-comment tool performs an irreversible destructive action on the user's account but is not justified by the described skill purpose. Because it is callable directly and relies on Accessibility automation, an agent could remove user content without meaningful friction, causing account integrity and reputational harm.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill includes engagement and growth actions such as like, collect, and follow that are not necessary for the stated functionality. These actions can manipulate a user's social graph and platform activity history, creating reputational risk and enabling covert account use if triggered by an agent or prompt-injection chain.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill adds local video downloading and frame extraction capabilities that are outside the manifest's declared purpose of controlling the Mac app via Accessibility APIs. This scope expansion is dangerous because it enables acquisition and local processing of user/content data beyond expected UI automation, undermining least privilege and informed consent.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Invoking external tools like `yt-dlp`, `ffmpeg`, and `ffprobe` is not justified by the stated app-control purpose and creates additional attack surface, data handling, and compliance concerns. In a skill with accessibility privileges, this unjustified capability expansion makes exfiltration and covert collection materially easier.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly advertises tools for sending DMs, posting comments, replying, and deleting comments, but does not provide clear safety guidance about privacy, account sanctions, accidental harassment/spam, or irreversible actions beyond a narrow warning on deletion. In this skill's context, the risk is elevated because it controls a live social-media account through macOS Accessibility with broad device control, making unintended or automated account-impacting actions more consequential.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes a capability to send outbound direct messages but does not warn that invoking the tool performs a real external action with privacy, consent, and spam implications. In an agent setting, this increases the risk of unintended or unauthorized communication because a model or user may treat the tool as a harmless read operation rather than a side-effecting action.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions tell users to run commands that prevent sleep and disable the screensaver, but provide no warning that this reduces workstation security and may leave an active session exposed. In a skill that already requires Accessibility permissions, encouraging additional host-security weakening makes the operational context more dangerous because a compromised or unattended machine would be easier to misuse.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation recommends `xhs_follow_author()` as a workaround to reach an author's profile, but it does not warn that this action mutates the user's real account state by following another account. In an automation context, users may run this example expecting a read-only navigation step and unintentionally trigger social actions that affect privacy, recommendations, notifications, and platform interactions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The direct-message tool sends outbound communication from the user's account without any confirmation, preview, recipient verification, or caution. In the context of macOS Accessibility control, this is especially risky because an LLM or malicious prompt could cause real messages to be sent to unintended recipients, leading to data leakage, spam, harassment, or social-engineering abuse.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The comment-posting tool performs a public account action immediately, with no confirmation or warning. Public posting is sensitive because unintended content can be permanently visible to others, harm the user's reputation, and leak information if the agent is manipulated into posting attacker-influenced text.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The reply-to-comment tool publishes visible content without any confirmation or explicit caution. Because replies are public and contextual, accidental or attacker-influenced replies can create reputational damage, harassment risk, and unintended disclosure, especially when an Accessibility-driven agent is acting on a live logged-in account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The helper `_result()` automatically appends a screenshot to many tool responses, which can expose whatever is visible in the RedNote window, including private messages, account details, comments, and other on-screen personal data. In an MCP context, returning screenshots to the calling agent/model increases the chance of unintended data disclosure beyond what the user explicitly requested.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The `xhs_send_dm` tool can send direct messages immediately once invoked, with no confirmation, preview, rate limiting, or user-consent checkpoint. Because this skill controls a live desktop app through Accessibility APIs, a mistaken or adversarial prompt could cause unauthorized outbound communication from the user's real account.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This code reads and returns private direct-message content without any user-facing disclosure, warning, or consent check. Since DMs can contain highly sensitive personal or business information, silent extraction in an Accessibility-enabled automation tool is a significant privacy vulnerability.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill can send private direct messages with no confirmation or user-facing disclosure. This can be abused for impersonation, spam, or accidental communication, especially because the app is controlled through Accessibility automation rather than a constrained API.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal