xiaohongshu-image-generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to generate local image cards, but it starts a local web server and writes HTML without enough containment guidance.

Review before installing if you are not comfortable with local file creation and a temporary web server. Use it only in an empty working directory, bind the server to 127.0.0.1, stop it immediately after screenshotting, and avoid rendering untrusted prompt content as raw HTML.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs writing HTML files and launching a local HTTP server via shell commands, but it declares no permissions for file write or shell execution. This creates a transparency and governance gap: reviewers and users cannot accurately assess what the skill can do, and the undeclared capabilities could be abused or unexpectedly expand the agent's operational reach.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior does not match the actual workflow: instead of directly generating images with Playwright, the skill generates HTML, starts a local server, and relies on browser-based access and screenshotting. This mismatch is security-relevant because hidden operational steps can introduce unreviewed attack surface such as local service exposure, browser rendering of untrusted HTML, and misleading user expectations about what the skill executes.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill directs the agent to start a local HTTP server without clearly warning the user or describing the security implications. Even when bound to localhost, serving generated HTML creates an unnecessary local service that may expose content to other local processes or remote hosts if misconfigured, and it expands attack surface by rendering potentially untrusted prompt-derived HTML in a browser.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal