Security audit

rockingland-trader-monitor

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the claimed Xiaohongshu monitoring task, but it handles live account cookies and includes broader account-action tools than a read-only alert skill needs.

Review before installing. Use it only on a trusted private machine, preferably with a dedicated Xiaohongshu account. Protect or remove cookie files after use, verify the downloaded MCP binaries yourself, and remove or restrict the generic MCP helper actions if you only need read-only monitoring.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly requires shell execution, file reads/writes, environment-variable access, and persistent local state, yet it declares no permissions. This creates a dangerous transparency gap: a user or orchestrator may invoke the skill without understanding that it installs binaries, reads cookies, writes state files, and sends notifications using local credentials.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The helper script exposes many MCP tools that go far beyond the skill's stated purpose of monitoring posts and sending alerts, including commenting, replying, liking, favoriting, publishing, and deleting cookies. In a monitoring skill, this overbroad capability materially increases the attack surface and enables unauthorized account actions if the script is invoked with untrusted input or by a compromised workflow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script explicitly advertises and enables posting and account-manipulation actions that are unjustified for a keyword-monitoring and notification skill. Because the skill context is read-oriented, inclusion of write actions is more dangerous: it creates a privilege mismatch where a monitoring workflow could be repurposed to spam, alter engagement, publish content, or reset login state.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script copies authentication cookies into a fixed path under /tmp, which is a globally shared temporary directory and increases exposure risk for sensitive session material. Although the file is installed with mode 600, placing long-lived credentials in /tmp without user warning, ownership validation, or safer storage semantics can enable credential leakage, accidental reuse, or symlink/race abuse in multi-user environments.

Session Persistence

Medium

Category: Rogue Agent
Content: # 1. 安装 xiaohongshu-mcp 二进制 # 从 GitHub Releases 下载对应平台文件： # https://github.com/xpzouying/xiaohongshu-mcp/releases mkdir -p ~/.local/bin mv xiaohongshu-mcp-linux-amd64 ~/.local/bin/xiaohongshu-mcp mv xiaohongshu-login-linux-amd64 ~/.local/bin/xiaohongshu-login chmod +x ~/.local/bin/xiaohongshu-*
Confidence: 87% confidence
Finding: mkdir -p ~/.local/bin mv xiaohongshu-mcp-linux-amd64 ~/.local/bin/xiaohongshu-mcp mv xiaohongshu-login-linux-amd64 ~/.local/bin/xiaohongshu-login chmod +x ~/.local

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal