ZeeLin 小红书自动发布

Security checks across malware telemetry and agentic risk

Overview

This skill is for Xiaohongshu automation, but it can publish live posts from a logged-in account without a clear final approval step.

Install only if you intentionally want an agent to operate a Xiaohongshu creator account. Use a dedicated browser profile or test account, review generated content manually, set draft-only controls such as XHS_NO_PUBLISH where available, and do not run the auto-publish scripts unless you are ready for the post to go live.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (17)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script does more than draft content: it immediately invokes a publishing subprocess that posts to Xiaohongshu. This is a real scope-expansion risk because a user asking for copy generation may unintentionally trigger an external side effect on a live account, causing unauthorized or premature publication.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The module docstring states publishing is disabled unless XHS_AUTO_PUBLISH=1, but the implementation does the opposite: it proceeds with formatting, next-step navigation, and final publish unless XHS_NO_PUBLISH is explicitly set. This mismatch is dangerous because users, operators, or higher-level agents may rely on the documented safety guard and unintentionally trigger live posting to a real Xiaohongshu account.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill metadata describes content-operations assistance, but the script performs direct browser-driven publishing to a live Xiaohongshu account. That mismatch is dangerous because users may invoke what appears to be a drafting/planning skill and unknowingly trigger an irreversible account action, especially when attached to an already-authenticated browser session via Chrome DevTools Protocol.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code uses an existing authenticated browser tab and drives account-level actions through CDP, culminating in publication of a note. Because this exceeds a passive content-generation role and acts on behalf of the user without scoped authorization controls, it creates a real risk of unauthorized posting, reputational damage, and abuse of the user's session.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The module docstring states that live publishing only occurs when XHS_AUTO_PUBLISH=1, but the implementation does the opposite: it publishes by default unless XHS_NO_PUBLISH is set. This mismatch is dangerous because operators and higher-level agents may rely on the documented safety gate and unintentionally trigger real posts to a live Xiaohongshu account.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The usage text identifies the tool as cdp_xhs_ops.py even though this file is a live publishing script with materially different behavior. Mislabeling operational tooling increases the chance that wrappers, users, or orchestration systems invoke it under false assumptions, which is especially risky in a content-publishing skill where actions affect an external account.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger language is extremely broad and is designed to activate on ordinary requests like writing copy or asking about trends, even when the user did not ask for account automation. In a skill that can ultimately publish to an external platform, overbroad invocation increases the risk of accidental activation and unintended posting workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown describes an automatic publishing flow that affects a live external account, but it does not provide a clear user-facing warning or consent checkpoint before executing account-impacting actions. In the context of social-media publishing, this can lead to accidental posts, brand damage, or unauthorized use of a logged-in session.

Vague Triggers

High

Confidence: 97% confidence
Finding: The skill declares that many common content-related keywords should automatically trigger it, including generic requests like writing a short video caption or asking about trends. This creates an overbroad routing condition that can hijack ordinary user requests and cause the agent to invoke web-driven content-ops behavior when the user did not explicitly ask for that workflow.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The skill metadata and description instruct the system to use this skill for broad classes of requests in Chinese-language operational contexts, without indicating that the language should follow the user's preference. Forced language behavior can override user expectations, reduce usability, and cause incorrect or inaccessible responses when the user is interacting in another language.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script writes a draft file and then publishes content without any interactive confirmation, dry-run mode, or explicit warning about side effects. In an automation context tied to a social-media account, this can lead to accidental posting, reputational damage, and unintended disclosure of generated or sensitive content.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Model-generated text is passed directly into the downstream publishing script with no moderation, validation, or human review. Because the skill is specifically designed for automated content operations, this makes hallucinated, policy-violating, brand-damaging, or prompt-injected output much more likely to be posted to a real platform account.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script performs the final publish action automatically against a logged-in Xiaohongshu creator session with no user confirmation, preview, or explicit acknowledgment immediately before submission. In a content-publishing skill, this is dangerous because any upstream prompt injection, bad content generation, or accidental invocation can directly cause unauthorized public posting, reputational damage, or policy violations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script connects to Chrome's remote debugging interface on localhost and drives an already authenticated browser tab, effectively taking control of the user's live session without any in-script disclosure, consent flow, or scope restriction. This is risky because CDP access can manipulate page state and perform privileged actions as the logged-in user, and in this skill context the whole purpose is automated posting to a social-media account.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script reaches the final publish step automatically and clicks the publish control without any confirmation dialog, dry run, or user review checkpoint. This is dangerous because a mistaken trigger, malformed body text, or hostile upstream input can immediately cause public posting from the user's account with no opportunity to stop it.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically clicks formatting, next-step, publish, and confirmation controls with no explicit user-facing confirmation at runtime. In this skill context, the code is designed for end-to-end automated content operations, so the absence of an interactive confirmation materially increases the risk of unintended or unauthorized publication to a real social media account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script automatically clicks the final 发布 and follow-up confirmation buttons without any explicit user confirmation, dry-run mode, or review checkpoint. In the context of a social-media autoposting skill, this can cause unintended public publication, reputational damage, compliance issues, or accidental disclosure of sensitive content if upstream generated text is wrong or unsafe.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal