Xhs Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Xiaohongshu publishing automation tool, but it handles account sessions, secrets, background services, and public posting with unsafe or under-disclosed controls.

Review this carefully before installing. Use a dedicated Xiaohongshu account, do not paste API keys or browser cookies into chat, rotate any exposed keys, and avoid running the MCP service or downloaded binaries outside a sandboxed environment. Only publish after manually reviewing the exact title, body, media, and destination account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly uses shell commands, environment variables, local file paths, and network calls, but does not declare permissions accordingly. This hides the real execution capabilities from users and reviewers, making consent and risk evaluation ineffective for a skill that can publish content, handle media, and interact with external services.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The README instructs users to install system-level tooling such as FFmpeg for media processing, which exceeds a narrowly scoped 'publishing' skill and expands the host attack surface. While this is likely intended to support video generation, bundling privileged package installation into skill documentation can normalize unsafe deployment practices and increase risk on the operator machine.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The README instructs operators to manually extract authentication cookies such as a1 and web_session from the browser, which exposes live session secrets outside normal login flows. This is dangerous because copied cookies can be reused to impersonate the user and bypass interactive authentication protections.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The README prescribes broad system setup, background services, and local automation infrastructure beyond ordinary content publishing, including package installation, virtual display setup, binary download, and daemonized execution. This increases operational complexity and creates more opportunities for misuse or compromise of the host environment.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The skill instructs users to send an MD2CARD API key directly in chat so the agent can configure it. Collecting secrets through conversation is unsafe because chat logs may be retained, exposed to other tools, or mishandled, and this is not necessary when a secure secret-entry mechanism should be used instead.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The file contains a hard-coded DOUBAO_API_KEY value and instructs the environment to export it. Embedding live credentials in a distributable skill exposes the secret to anyone who can read the file, enabling unauthorized API usage, billing abuse, and potential account compromise.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This script is presented as an environment check, but it also mutates system state by starting Xvfb and the MCP service. That mismatch is risky because users may run a supposedly read-only diagnostic script without realizing it will launch services and background processes, which can change host state and expand the skill's operational footprint.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cookie-based login section tells users to copy sensitive authentication cookies without any strong warning about credential handling, storage, or disclosure. In the context of an automation skill, this normalizes unsafe treatment of bearer tokens that grant account access and could easily be leaked via logs, screenshots, or prompts.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The README advertises automatic publishing to a third-party account via browser automation/MCP, but does not prominently warn that the tool can log in, maintain session state, and perform account actions on the user's behalf. In a skill whose core purpose is external posting, missing risk disclosure increases the chance of users authorizing sensitive account operations without understanding the scope of access.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The file instructs users to configure multiple API keys and secrets but gives no guidance on secure storage, rotation, access control, or avoiding accidental disclosure in shells, logs, or shared environments. Because this skill integrates several external services, poor credential hygiene could expose billing, content generation APIs, or publishing capabilities to unauthorized parties.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad everyday phrases like '发小红书' and '写笔记', increasing the chance the skill activates in situations where the user did not intend full automation or external publication. In a skill that can generate media, call third-party services, and publish to a social platform, overly broad invocation increases accidental execution risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The description markets one-click publishing but does not clearly warn that text and media will be sent to third-party APIs and then published to an external platform. This undermines informed consent, especially because the skill also uses paid services and handles account-linked publishing workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script attempts to start Xvfb automatically without prior confirmation, first via systemd and then by launching Xvfb directly in the background. Silent process creation is dangerous in an agent skill because it can unexpectedly alter the user's environment and make troubleshooting or rollback harder.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script auto-starts the MCP service and, if systemd is unavailable, runs it under nohup in the background. In a skill context, this creates a persistent service without explicit user consent, which can expose local interfaces, consume resources, and leave long-lived processes the user did not knowingly approve.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends the user-provided title to Gemini for semantic line-breaking, which is a network transmission of user content that is not clearly disclosed at the point of use. Because titles can contain sensitive or proprietary information, this creates an avoidable privacy leak to a third-party service even when the user may expect only local image composition.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script transmits user-provided content to an arbitrary external endpoint defined by XHS_AI_API_URL, but the call site only says it is generating content and does not explicitly warn that the input will be sent off-box. In an agent skill context, users may paste drafts, business data, or personal information, so silent transmission to a third-party API creates a real privacy and data-governance risk.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The instructions normalize extracting and handling session cookies in plain language, which encourages operators to expose reusable account secrets outside the browser. Because these are effectively bearer tokens, anyone obtaining them can hijack the associated Xiaohongshu session until expiration or revocation.

Ssd 3

High

Confidence: 97% confidence
Finding: Requesting that a user provide an API key directly in chat is unsafe secret handling. Conversation channels are not an appropriate place for credential collection, and the risk is amplified here because the key would be used for billable external services and persistent agent configuration.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill provides step-by-step instructions for extracting browser cookies and reusing them for login. Cookies are active session secrets; encouraging manual extraction and insertion into files can enable account takeover if the data is exposed, reused improperly, or retained on disk.

External Transmission

Medium

Category: Data Exfiltration
Content: RESPONSE_FILE="${TMP_DIR}/openai_response.json" curl -s -X POST "${IMG_API_BASE}/images/generations" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IMG_API_KEY}" \ -d "{\"model\": \"${IMG_MODEL}\", \"prompt\": ${PROMPT_ESCAPED}, \"n\": 1, \"size\": \"1536x1024\", \"response_format\": \"b64_json\"}" \
Confidence: 97% confidence
Finding: curl -s -X POST "${IMG_API_BASE}/images/generations" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IMG_API_KEY}" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: RESPONSE_FILE="${TMP_DIR}/gemini_response.json" curl -s -X POST "${GEMINI_API_URL}?key=${GEMINI_API_KEY}" \ -H "Content-Type: application/json" \ -d "$PAYLOAD" \ -o "$RESPONSE_FILE"
Confidence: 98% confidence
Finding: curl -s -X POST "${GEMINI_API_URL}?key=${GEMINI_API_KEY}" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal