rednote(xiaohongshu,xhs)

Security checks across malware telemetry and agentic risk

Overview

This Rednote/Xiaohongshu automation skill is coherent, but it can reuse saved login cookies to publish, comment, follow, like, and collect without built-in confirmation checks.

Install only if you are comfortable giving this skill a reusable Rednote/Xiaohongshu login session and allowing it to perform visible actions on that account. Keep rednote_cookies.json private, delete or revoke it when done, and require your agent or workflow to ask for explicit approval before publishing, commenting, following, liking, collecting, or uploading any local image files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This helper persists authenticated Xiaohongshu session state to a local JSON file, which effectively stores reusable login credentials on disk. In the context of a skill that can also perform actions like liking, commenting, following, and publishing, theft or reuse of that file could enable full account takeover of the automated session and unauthorized actions on behalf of the user.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The function contract says it accepts image URLs, but the implementation passes those values directly to Playwright's file chooser, which only uploads local files. This mismatch can cause callers or higher-level agents to supply untrusted or unintended paths, potentially exposing local files from the machine running the skill rather than remote images the user thought were being referenced.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The CLI advertises `--image-urls` as URLs, but the values are consumed as local upload paths by `set_files()`. In an agent context, this deceptive interface increases the chance of accidental local file exfiltration or publication because a caller may pass sensitive host paths under the mistaken assumption they are harmless references.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises account-affecting actions such as liking, commenting, following, collecting, and publishing, but it does not require an explicit user confirmation step before those external side effects occur. In an agent setting, this can lead to unintended actions on a real user account, reputational harm, or platform abuse if the agent misinterprets user intent or is prompted ambiguously.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The login workflow describes validating cookies and launching manual login, but it does not prominently warn users that authentication cookies will be stored locally and reused for future authenticated actions. This creates a risk that users do not understand session persistence, and a local compromise or accidental sharing of the cookie file could enable unauthorized access to the Xiaohongshu account.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script performs an externally visible action by immediately submitting a public comment once called, using authenticated session cookies and without any confirmation, preview, or safety interstitial. In an agent context, this increases the risk of accidental spam, unwanted impersonation of the logged-in user, or abuse through prompt-influenced inputs because the action is irreversible once sent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script automatically loads persisted authentication state from `rednote_cookies.json` and uses it to access content as a logged-in account without any explicit warning, consent check, or scope restriction. In a skill designed to interact with a social platform, this increases the risk of unintended account use, privacy exposure, or unauthorized actions if the cookies file is reused by another user or process.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This script performs a real account action (following a user) using persisted authentication state from rednote_cookies.json with no explicit confirmation, authorization check, or user-interaction safeguard. In an agent-skill context, that creates a meaningful risk of unauthorized social actions being triggered on behalf of the logged-in user, especially if the tool is invoked indirectly or with attacker-controlled URLs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script loads persisted authentication state from rednote_cookies.json and immediately performs an account action (liking a post) without any consent prompt, scope restriction, or disclosure to the user at execution time. If this skill is invoked on behalf of a user or in a shared environment, it can silently use previously captured session cookies to act as that user, enabling unauthorized account actions and creating privacy and account-integrity risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code writes authenticated session state to disk without any explicit warning that the file may contain reusable login material. Users may not understand that closing the browser leaves behind a credential artifact that could be copied, backed up, or accessed by other local users or processes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This script performs a real public posting action immediately after filling content, with no final confirmation, dry-run mode, or explicit user acknowledgment. In a browser-automation skill that already holds authenticated session cookies, that makes accidental or unauthorized publication materially more likely, especially when invoked by another agent or workflow.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: #### Login Error (`❌ 未找到 cookies 文件，请先登录小红书并保存 cookies`) **Cause**: The `rednote_cookies.json` file doesn't exist or is not in the correct location. **Solution**: The system will automatically execute `python scripts/manual_login.py` to perform manual login and save cookies. The user just needs to complete the login process in the opened browser window. #### Login Session Expired (`❌ 未登录小红书，请先登录`) **Cause**: Authentication tokens have expired or are invalid.
Confidence: 88% confidence
Finding: automatically execute

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal