Auto Redbook Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for creating Xiaohongshu posts, but it asks for a live account cookie and renders unsanitized Markdown in a browser, which creates account and network-exposure risks users should review carefully.

Install only if you are comfortable giving the skill publishing authority for your Xiaohongshu account. Keep XHS_COOKIE local, never commit or share .env, prefer dry-run/private tests first, and avoid rendering untrusted Markdown or HTML unless network access is blocked. Pin dependencies before serious use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The generated HTML imports Google Fonts from an external domain during Playwright rendering, which creates unnecessary outbound network access for a local rendering task. This can leak execution metadata such as IP, timing, and usage patterns, and can also make rendering depend on third-party availability.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Untrusted Markdown is converted to HTML with marked.parse(content) and embedded directly into a Playwright-rendered page without sanitization. Because raw HTML is allowed, an attacker can inject tags such as img, iframe, video, or CSS url() references that trigger arbitrary outbound requests, enabling SSRF-like network access and data exfiltration from the rendering environment.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill tells users to supply a live Xiaohongshu browser cookie and use it to publish posts, but it does not warn that this cookie is effectively an authenticated session credential. If exposed, logged, or mishandled, an attacker or unintended component could post on the user's behalf, access account data, or hijack the account session.

Credential Access

High

Category: Privilege Escalation
Content: # 小红书 Cookie 配置 # 将此文件复制为 .env 并填入真实的 Cookie # # 获取方式： # 1. 在浏览器中登录小红书 (https://www.xiaohongshu.com)
Confidence: 94% confidence
Finding: .env

Unpinned Dependencies

Low

Category: Supply Chain
Content: "author": "", "license": "MIT", "dependencies": { "js-yaml": "^4.1.0", "marked": "^11.0.0", "playwright": "^1.58.0" }
Confidence: 92% confidence
Finding: "js-yaml": "^4.1.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "license": "MIT", "dependencies": { "js-yaml": "^4.1.0", "marked": "^11.0.0", "playwright": "^1.58.0" } }
Confidence: 92% confidence
Finding: "marked": "^11.0.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "dependencies": { "js-yaml": "^4.1.0", "marked": "^11.0.0", "playwright": "^1.58.0" } }
Confidence: 94% confidence
Finding: "playwright": "^1.58.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 小红书笔记创作技能依赖 # Markdown 处理 markdown>=3.4.0 PyYAML>=6.0 # 浏览器自动化（渲染图片）
Confidence: 97% confidence
Finding: markdown>=3.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Markdown 处理 markdown>=3.4.0 PyYAML>=6.0 # 浏览器自动化（渲染图片） playwright>=1.40.0
Confidence: 99% confidence
Finding: PyYAML>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: PyYAML>=6.0 # 浏览器自动化（渲染图片） playwright>=1.40.0 # 小红书发布 xhs>=0.4.0
Confidence: 95% confidence
Finding: playwright>=1.40.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 # 小红书发布 xhs>=0.4.0 # 环境变量管理 python-dotenv>=1.0.0
Confidence: 96% confidence
Finding: xhs>=0.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: xhs>=0.4.0 # 环境变量管理 python-dotenv>=1.0.0 # HTTP 请求（API 模式） requests>=2.28.0
Confidence: 94% confidence
Finding: python-dotenv>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-dotenv>=1.0.0 # HTTP 请求（API 模式） requests>=2.28.0
Confidence: 98% confidence
Finding: requests>=2.28.0

Known Vulnerable Dependency: js-yaml==4.1.0 — 1 advisory(ies): CVE-2025-64718 (js-yaml has prototype pollution in merge (<<))

Low

Category: Supply Chain
Confidence: 87% confidence
Finding: js-yaml==4.1.0

Known Vulnerable Dependency: markdown — 2 advisory(ies): CVE-2025-69534 (Python-Markdown has an Uncaught Exception); CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se)

High

Category: Supply Chain
Confidence: 90% confidence
Finding: markdown

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 99% confidence
Finding: PyYAML

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 78% confidence
Finding: python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 96% confidence
Finding: requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal