Back to skill

Security audit

xhs-research

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Xiaohongshu research tool, but users should understand it downloads third-party binaries, stores login cookies locally, and runs a local service.

Install only if you are comfortable running the upstream xiaohongshu-mcp binaries and using a Xiaohongshu account session locally. Treat ~/.local/share/xhs-research/cookies.json like a password, delete it when no longer needed, review the GitHub release source before setup, and be aware that reports and raw scraped content are saved under ~/Documents/XHS-Research/.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README says the skill will 'automatically install all dependencies' but does not clearly frame this as a security-sensitive action involving execution of external code and components. In an agent-skill context, auto-installation is more dangerous because users may delegate installation to an LLM-driven toolchain and not review what gets fetched or executed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README says the skill will 'automatically install all dependencies' but does not clearly frame this as a security-sensitive action involving execution of external code and components. In an agent-skill context, auto-installation is more dangerous because users may delegate installation to an LLM-driven toolchain and not review what gets fetched or executed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly documents that login cookies are stored locally at a predictable path, but it does not clearly warn users that these cookies are sensitive authentication material equivalent to an active session. If another local user, malware, backup service, or an over-privileged agent can read that file, the account session could be hijacked and user activity exposed.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The name, description, and examples are broad enough that many generic 'research Xiaohongshu' requests could trigger the skill automatically, causing unintended execution of shell commands, login flows, or data collection. Over-broad invocation boundaries are dangerous here because the skill is not a pure text helper; it can launch scripts, inspect environment locations, and persist data locally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to open a login page and rely on an authenticated Xiaohongshu session/Cookie state without clearly warning the user about account access, session persistence, and privacy implications. Because the workflow automates browser-based authentication and later accesses platform data via local services, a user may unknowingly grant ongoing access tied to their personal account.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill states that raw research output and synthesized reports will be saved locally, but it does not clearly warn that these files may contain scraped content, URLs, comments, and potentially sensitive or regulated personal data. Silent persistence makes accidental disclosure more likely on shared machines, backups, or synced folders.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The SessionStart hook uses an empty matcher, which makes the trigger overly broad and ambiguous. In practice this can cause the command hook to run for every session start without meaningful scoping, increasing the attack surface and making unexpected code execution more likely whenever the skill is loaded.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.