Security audit

XHS Auto-Publish

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can publish immediately from a logged-in Xiaohongshu account and its documentation is inconsistent about whether publishing is opt-in.

Review before installing or running. Use only a dedicated Xiaohongshu browser profile, keep CDP bound to localhost, pass only trusted file paths/content, and always run with --dry-run first. Treat any run without --dry-run as capable of publishing immediately from the logged-in account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill advertises access to environment-derived configuration such as `XHS_CDP_URL` but does not declare corresponding permissions. Undeclared capability use weakens reviewability and least-privilege controls, making it easier for a skill to consume runtime configuration or endpoints without explicit operator awareness.

Intent-Code Divergence

Low

Confidence: 90% confidence
Finding: The documentation states 'Always run without `--publish` first', but elsewhere the skill says publishing is the default behavior and `--dry-run` is what prevents a live post. This mismatch can cause an operator to omit a flag expecting a safe preview and instead trigger an irreversible public post from a logged-in account.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The script's header explicitly claims it will not publish unless a flag is set, but the implementation sets `publish: true` by default and only disables publishing with `--dry-run`. This mismatch is dangerous because users or upstream agents may rely on the documentation for safety and unintentionally trigger a real post to a logged-in social-media account, causing irreversible external actions.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The documented interface advertises a `--publish` flag, but no such flag exists; instead, publication occurs automatically unless `--dry-run` is used. This is a real safety issue because automation frameworks and human operators may invoke the script expecting preview-only behavior and accidentally publish content to a production account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill is designed to control an already-authenticated browser session on Xiaohongshu and publishes posts by default, yet the warning about this live side effect is weak. In this context, a mistaken invocation can immediately create public content on a real social account, causing reputational damage, policy violations, or unintended disclosure.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script performs an irreversible external action—publishing a social-media post—by default, with no runtime confirmation and only misleading documentation as notice. In the context of an agent skill connected to an already authenticated browser session, this is more dangerous because any mistaken invocation can immediately affect a real account and public content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal