ClawHub

Baoyu Post To Xhs

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it needs review because it can act through a logged-in social account, automatically stop Chrome debugging sessions, and includes probes that may print private page content to logs.

Install only if you are comfortable letting the skill control a browser session for Xiaohongshu posting. Use a dedicated Chrome profile, review posts before publishing, avoid --submit unless you want automatic posting, do not allow automatic Chrome process killing if other browser automation may be running, and avoid probe/debug scripts where terminal or CI logs could expose private account or draft content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The troubleshooting instructions tell the agent to kill existing Chrome processes using a remote-debugging-port match, which is host-level process control beyond the minimum needed for posting content. Even if scoped to CDP instances, this can terminate other active automation or browser sessions on the machine, causing denial of service, loss of work, or disruption of unrelated tasks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code enumerates default Chrome user-data directories and inspects running processes to discover any existing Chrome instance with remote debugging enabled, rather than limiting itself to a skill-owned browser profile. That broad discovery can attach the automation to a user's personal Chrome session, exposing cookies, authenticated tabs, browsing context, and other session data unrelated to posting to Xiaohongshu.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to force-kill Chrome CDP instances and retry without asking the user. Automatically terminating user applications without warning is dangerous because it bypasses consent and can interrupt sessions, discard unsaved state, or affect unrelated browser automation sharing the same host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script extracts visible text from the live Xiaohongshu creator page and prints it to stdout, which can expose account-specific or user-generated content to logs, terminals, CI output, or downstream collectors without explicit consent. In a browser-automation skill that attaches to an existing Chrome session, this is particularly risky because it may capture authenticated page data belonging to the current user.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code captures a slice of outerHTML from the upload area and prints it directly, which may include page structure, embedded metadata, filenames, identifiers, or other sensitive state from the authenticated publishing interface. Because the skill operates against a live XHS creator page via CDP, logging raw HTML increases the chance of unintended data disclosure through console logs or stored telemetry.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script attaches to a live Chrome session, inspects the DOM of an authenticated Xiaohongshu creator page, and logs extracted page structure, text content, and HTML snippets to stdout without any access-control, minimization, or user-facing disclosure in the code. Even though the apparent purpose is debugging UI automation, those logs can capture sensitive account data, draft post contents, or other page-resident information and may be exposed through terminal history, CI logs, or agent telemetry.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script launches Chrome, attaches to an existing Xiaohongshu page over CDP, and programmatically reads page DOM content, visible text, button labels, and HTML fragments. Because this occurs without explicit, task-specific user consent or data-minimization controls, it can expose account content, drafts, private page state, or other sensitive information from a logged-in browser session beyond what is necessary for posting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal