XHS Image Gen

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent Xiaohongshu card-rendering and publishing tool, but its publishing path uses raw browser session cookies and can send them to a configurable API service without enough warning.

Install only if you are comfortable giving the skill a live Xiaohongshu browser session cookie. Use rendering without publishing when possible, keep .env out of sync/sharing/version control, avoid --api-mode with non-local API URLs, review posts before making them public, and consider blocking external network access during rendering.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (26)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises content creation but includes capabilities to read environment variables, access local files, and perform network operations without declaring permissions. This creates a transparency and consent gap: an agent or user may invoke the skill expecting text/image generation while it can also access credentials and communicate externally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The described behavior omits sensitive side effects: reading XHS cookies from .env, connecting to an API endpoint, retrieving account identity, and embedding a local avatar as a watermark. Because these actions involve credentials, account context, and possible data exfiltration or unintended disclosure, the mismatch makes the skill materially more dangerous than its description suggests.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The generated HTML imports Google Fonts via a remote URL, so rendering a local markdown file causes outbound network access during Playwright page loading. This can leak usage metadata such as timing, IP address, and possibly content-adjacent request context to a third party, and it breaks assumptions that the renderer is fully local/offline.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: Body card rendering repeats the same remote Google Fonts import, which means every render can trigger undeclared external requests. In an agent skill context, users may expect local processing of their notes, so hidden network egress increases privacy and supply-chain risk if the remote resource changes or is unavailable.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The generated HTML imports Google Fonts via an external URL, so Playwright will make outbound network requests during rendering. In a content-generation skill, this creates unnecessary data egress, enables tracking of render activity/IP, and weakens isolation expectations for a local rendering pipeline.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Markdown is converted to HTML and rendered in a browser context without restricting external resource loads, so attacker-controlled markdown can embed remote images or other fetchable content. This can trigger SSRF-style requests from the host running Playwright, leak IP/network metadata, and potentially probe internal services if the markdown input is untrusted.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The activation scope is broad enough to match ordinary content-creation requests, increasing the chance the skill is invoked in contexts where the user only wanted drafting help, not file processing or publishing-capable behavior. In a skill that can later access credentials and post to an external platform, overbroad triggering raises the risk of unintended use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The publishing section instructs use of XHS_COOKIE and network posting but does not prominently warn that this uses a real account session and may expose account, privacy, or reputational risk if content is posted incorrectly. Even with a default private mode, the workflow normalizes credentialed posting without sufficient risk disclosure or explicit consent controls.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: In API mode, the script sends the full XHS_COOKIE to the configured API service during /init. Because --api-url can point to any host and there is no explicit warning, trust boundary check, or HTTPS enforcement, a user's authenticated session token can be disclosed to an external service and reused to impersonate the account.

External Transmission

Medium

Category: Data Exfiltration
Content: # 初始化 session try: resp = requests.post( f"{self.api_url}/init", json={ "session_id": self.session_id,
Confidence: 96% confidence
Finding: requests.post( f"{self.api_url}/init", json=

External Transmission

Medium

Category: Data Exfiltration
Content: if post_time: payload["post_time"] = post_time resp = requests.post( f"{self.api_url}/publish/image", json=payload, timeout=120
Confidence: 88% confidence
Finding: requests.post( f"{self.api_url}/publish/image", json=

Credential Access

High

Category: Privilege Escalation
Content: # 小红书 Cookie 配置 # 将此文件复制为 .env 并填入真实的 Cookie # # 获取方式： # 1. 在浏览器中登录小红书 (https://www.xiaohongshu.com)
Confidence: 88% confidence
Finding: .env

Unpinned Dependencies

Low

Category: Supply Chain
Content: "author": "", "license": "MIT", "dependencies": { "js-yaml": "^4.1.0", "marked": "^11.0.0", "playwright": "^1.58.0" }
Confidence: 88% confidence
Finding: "js-yaml": "^4.1.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "license": "MIT", "dependencies": { "js-yaml": "^4.1.0", "marked": "^11.0.0", "playwright": "^1.58.0" } }
Confidence: 88% confidence
Finding: "marked": "^11.0.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "dependencies": { "js-yaml": "^4.1.0", "marked": "^11.0.0", "playwright": "^1.58.0" } }
Confidence: 90% confidence
Finding: "playwright": "^1.58.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 小红书笔记创作技能依赖 # Markdown 处理 markdown>=3.4.0 PyYAML>=6.0 # 浏览器自动化（渲染图片）
Confidence: 94% confidence
Finding: markdown>=3.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Markdown 处理 markdown>=3.4.0 PyYAML>=6.0 # 浏览器自动化（渲染图片） playwright>=1.40.0
Confidence: 97% confidence
Finding: PyYAML>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: PyYAML>=6.0 # 浏览器自动化（渲染图片） playwright>=1.40.0 # 小红书发布 xhs>=0.4.0
Confidence: 91% confidence
Finding: playwright>=1.40.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 # 小红书发布 xhs>=0.4.0 # 环境变量管理 python-dotenv>=1.0.0
Confidence: 95% confidence
Finding: xhs>=0.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: xhs>=0.4.0 # 环境变量管理 python-dotenv>=1.0.0 # HTTP 请求（API 模式） requests>=2.28.0
Confidence: 90% confidence
Finding: python-dotenv>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-dotenv>=1.0.0 # HTTP 请求（API 模式） requests>=2.28.0
Confidence: 96% confidence
Finding: requests>=2.28.0

Known Vulnerable Dependency: js-yaml==4.1.0 — 1 advisory(ies): CVE-2025-64718 (js-yaml has prototype pollution in merge (<<))

Low

Category: Supply Chain
Confidence: 94% confidence
Finding: js-yaml==4.1.0

Known Vulnerable Dependency: markdown — 2 advisory(ies): CVE-2025-69534 (Python-Markdown has an Uncaught Exception); CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se)

High

Category: Supply Chain
Confidence: 84% confidence
Finding: markdown

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 98% confidence
Finding: PyYAML

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 75% confidence
Finding: python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal