小红书 Mac Controller

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to automate Rednote/Xiaohongshu, but it can read private content and perform account-changing social actions without clear built-in confirmation or privacy controls.

Install only if you are comfortable granting the skill Accessibility-level control over your Mac and logged-in Rednote account. Before using it, review which tools can send messages, post or delete comments, read DMs, capture screenshots, and touch the clipboard; avoid sensitive conversations or clipboard contents during use, and require your agent to ask for explicit approval before any outbound or destructive action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (21)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def type_text(text: str, delay: float = 0.4): """输入文字 — 用剪贴板粘贴，避免中文输入法问题""" # 1. 把文字写入剪贴板 subprocess.run(["pbcopy"], input=text.encode("utf-8")) time.sleep(0.1) # 2. Cmd+V 粘贴 subprocess.run(["osascript", "-e",
Confidence: 89% confidence
Finding: subprocess.run(["pbcopy"], input=text.encode("utf-8"))

subprocess module call

Medium

Category: Dangerous Code Execution
Content: IMG_W, IMG_H = 708, 736 # 先清空剪贴板 subprocess.run(["pbcopy"], input=b"") # 1. 点击底部「分享」按钮（截图坐标约 505, 688） share_x = int(b["x"] + 505 * b["w"] / IMG_W)
Confidence: 88% confidence
Finding: subprocess.run(["pbcopy"], input=b"")

subprocess module call

Medium

Category: Dangerous Code Execution
Content: click_global(copy_x, copy_y, delay=1.0) # 3. 读剪贴板 result = subprocess.run(["pbpaste"], capture_output=True, text=True) raw = result.stdout.strip() # 提取 URL（格式：文字 + URL + 文字）
Confidence: 93% confidence
Finding: result = subprocess.run(["pbpaste"], capture_output=True, text=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ytdlp = shutil.which("yt-dlp") or "yt-dlp" cmd = [ytdlp, "-o", f"{output_dir}/%(id)s.%(ext)s", "--write-info-json", "--no-playlist", url] r = subprocess.run(cmd, capture_output=True, text=True, timeout=120) # 找下载的视频文件 for ext in ("mp4", "mov", "webm", "flv", "m4v"): files = glob.glob(f"{output_dir}/*.{ext}")
Confidence: 95% confidence
Finding: r = subprocess.run(cmd, capture_output=True, text=True, timeout=120)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The helper returns a screenshot by default for many tool invocations, which can expose unrelated on-screen content such as private messages, account data, or other sensitive UI state beyond the requested action. In this skill's context, the tool controls a social-media app via macOS Accessibility APIs, so screenshots can easily contain personal conversations or account information and are sent back automatically without action-specific minimization.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata describes Accessibility-based control of the rednote app, but this code also downloads remote video content and processes it with external media tools. That is a substantial capability mismatch: users and reviewers would expect UI automation, not off-platform network retrieval and file extraction, so the hidden expansion materially increases risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Using yt-dlp introduces a powerful network-capable acquisition path unrelated to simple app control, enabling retrieval of external content and creation of local files. In an agent skill, this undisclosed capability is dangerous because it broadens the trust boundary and may be repurposed to fetch arbitrary remote data under the guise of app automation.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The controller writes user-supplied text to the system clipboard for message/comment entry, a system-wide side effect not disclosed in the manifest. Clipboard modification can overwrite sensitive clipboard contents and expose automation data to other applications, making this more dangerous than ordinary in-app input.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: This function obtains a note URL by reading the global clipboard after automating a copy-link action. That extends the skill beyond pure app control into cross-application data access, and because clipboard state is shared system-wide, it can capture or corrupt unrelated user data without transparent notice.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises tools that can send DMs, post or delete comments, follow, like, and collect content, but it does not clearly warn users that these actions change account state, may contact other users, and can expose private account activity. In this context, the skill directly drives a logged-in rednote app through macOS Accessibility APIs, so accidental or unauthorized invocation can have real-world side effects on the user’s social account.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The documentation explicitly describes opening a private conversation and sending a direct message, but provides no warning that this triggers outbound communication to a real user account and may expose recipient data or create unsolicited contact. In this skill's context, the capability is operational and user-facing rather than hypothetical, so missing consent, authorization, and safety guidance increases the risk of spam, harassment, privacy violations, or accidental messaging from the connected account.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The tool can send outbound private messages immediately with attacker-controlled or mistaken content and no explicit confirmation step. In an agent setting, this creates a real risk of unauthorized impersonation, spam, social engineering, or accidental disclosure because the action is performed on the user's logged-in account.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This tool posts a public comment directly from the user's account without any explicit warning or confirmation. Because comments are public and attributable to the user, a malicious prompt, confused agent, or accidental invocation could cause reputational harm, unwanted engagement, or policy-violating content to be published.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Replying to a comment is another public posting action, yet the tool sends the reply immediately with no user confirmation. In this skill's context, the automation controls a real social media app via macOS Accessibility APIs, so mistaken or manipulated execution can publish unwanted responses under the user's identity at scale.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Automatic UI screenshots after actions create a privacy leak because they may capture more than the narrowly requested result, including direct messages, profile information, or other visible content in the rednote window. This is especially risky here because the skill explicitly operates on private social content and runs with Accessibility permissions, increasing the sensitivity of what can be exposed.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code reads and returns private direct-message conversation content, including partner identity and shared note references, with no built-in confirmation, disclosure, or minimization. In this skill context, DM content is highly sensitive user data, so silent extraction through accessibility APIs is a genuine privacy vulnerability.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This function captures and returns a screenshot of the message list, which may expose conversation names, previews, and other private metadata. Because there is no user-facing warning or confirmation at the point of capture, it creates an unnecessary covert access path to sensitive communications data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function automates sending direct messages without any embedded confirmation or safety check. In an agent setting, that creates a risk of unintended outbound communication, impersonation of the user, and abuse of private messaging capabilities if invoked unexpectedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code posts public comments automatically with no built-in approval step. Public posting is an externally visible side effect, so omission of confirmation or rate limiting increases the risk of spam, accidental publication, and reputational harm.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Deleting comments is a destructive action, yet this function performs it through UI automation without a local confirmation gate. In an agent-controlled workflow, that can lead to irreversible content removal, moderation abuse, or accidental deletion if the UI target is misidentified.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The function reads the system clipboard as part of note-link extraction without any explicit disclosure. Clipboard data often contains sensitive cross-application information, so silent access is a meaningful privacy issue even if the intended goal is only to retrieve a copied URL.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal