xiaohongshu-cli

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Xiaohongshu CLI, but it should be reviewed because it can reuse browser login cookies and perform live account actions including posting, following, commenting, and deletion.

Install only if you trust the publisher and are comfortable letting an agent reuse Xiaohongshu browser session cookies. Use a disposable or low-risk account where possible, require explicit confirmation before likes, follows, comments, posts, uploads, or deletes, avoid delete -y in agent workflows, and run xhs logout when finished to clear the cached cookies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This CLI accepts a browser source parameter specifically to read cookies from installed browsers, enabling reuse of existing authenticated sessions without an explicit login flow at invocation time. In an agent-skill context, browser cookie extraction expands access to sensitive session credentials and can silently grant account access beyond what a user would expect from a normal Xiaohongshu content tool.

Context-Inappropriate Capability

Medium

Confidence: 77% confidence
Finding: The client includes an endpoint for reading another user's favorites/bookmarks, which is materially more privacy-sensitive than ordinary note browsing and is not clearly disclosed in the skill description. In an agent context, hidden access to inferred interests or saved content can enable covert profiling or collection of personal preference data beyond user expectations.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This code intentionally fabricates high-entropy browser fingerprint fields, session identifiers, and trace IDs to mimic a real browser environment rather than limiting itself to minimal request signing. In the context of a CLI for Xiaohongshu operations, this increases privacy risk and can enable anti-bot evasion or impersonation of user/browser characteristics beyond what is necessary for stated functionality.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly advertises automatic extraction of browser cookies and persistent storage of session data in a local cookies file, but does not provide a strong warning about the sensitivity of browser-derived authentication material. In an agent skill context, this increases the risk that an AI system or user invokes the tool without appreciating that it is handling live account session credentials, which could enable account takeover if exposed or misused.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The README lists account-affecting actions such as follow/unfollow, like, favorite, comment, delete-comment, post, and delete without an upfront warning that these commands perform real mutations on a user's Xiaohongshu account. In an agent setting, that omission can lead to unintended social actions or destructive content changes if the tool is invoked automatically or with ambiguous prompts.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The description says to use this skill for ALL Xiaohongshu operations and to invoke it whenever the user requests any Xiaohongshu interaction, which is overly broad. This can cause accidental activation for ambiguous requests and route users into authenticated, side-effect-capable commands without sufficient intent verification, especially because the skill includes posting, commenting, following, and deletion operations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The command reference lists destructive and state-changing operations such as like, comment, follow, post, delete-comment, unfollow, unfavorite, and delete without a prominent warning or confirmation requirement. In an agent setting, this makes accidental social actions or deletion more likely, particularly because the tool authenticates via browser cookies and acts on the user's real account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: These integration tests perform real authenticated write actions against a live Xiaohongshu account, including like, favorite, comment, and follow operations. Although the tests attempt cleanup in finally blocks, cleanup is best-effort and can fail, leaving persistent account actions or user-facing artifacts; in an agent skill context, this increases the chance of unintended real-world side effects from automated execution.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The upload helper reads an arbitrary local file path and sends the file contents to a remote host with no in-code guardrails, type validation beyond a caller-supplied content type, or user acknowledgment. In an agent setting, this creates a clear exfiltration risk if upstream prompts or tools can influence the file path, causing unintended disclosure of local files.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The client exposes destructive actions such as comment deletion and note deletion without any built-in confirmation, dry-run mode, or safety interlock. In an autonomous or semi-autonomous agent workflow, a mistaken tool invocation, prompt injection, or ambiguous user command could irreversibly remove user content.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The code automatically extracts Xiaohongshu authentication cookies from local browsers and persists them to disk without any explicit user consent, warning, or interactive confirmation. In an agent skill that can perform account actions like posting, commenting, following, and liking, silently acquiring session cookies materially increases the risk of unauthorized account access and abuse.

Natural-Language Policy Violations

Medium

Confidence: 75% confidence
Finding: The fingerprint generator hard-codes locale- and timezone-related values such as zh-CN and Asia/Shanghai, causing the tool to misrepresent the user's environment without consent. While not a direct code-execution flaw, this can mislead downstream services, undermine transparency, and contribute to stealthy account automation behavior when combined with the broader browser-fabrication logic.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: xhs my-notes --page 1 # Next page xhs post --title "标题" --body "正文" --images img.jpg # Post note xhs delete <note_id> # Delete note xhs delete <note_id> -y # Skip confirmation # ─── Notifications ──────────────────────────────── xhs unread # Unread counts (likes, mentions, follows)
Confidence: 91% confidence
Finding: Skip confirmation

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High

Category: YARA Match
Content: | Variable | Default | Description | |----------|---------|-------------| | `OUTPUT` | `auto` | Output format: `json`, `yaml`, `rich`, or `auto` (→ YAML when non-TTY) | ## Rate Limiting & Anti-Detection
Confidence: 94% confidence
Finding: cookies** — auto-extracts from Chrome, Firefox, Safari, Edge

VirusTotal

No VirusTotal findings

View on VirusTotal