Security audit

Xiaohongshu Ops

Security checks across malware telemetry and agentic risk

Overview

This skill is legitimate Xiaohongshu automation, but it can publish live posts through a saved browser login without strong per-run confirmation controls.

Install only if you are comfortable with a skill that can use a persistent Xiaohongshu browser login and publish public posts. Use a dedicated account/profile, keep review-before-publish enabled, avoid one-shot publish scripts unless you intend to post immediately, and periodically clear the saved browser profile if you do not want login state retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script unconditionally runs `pkill -f xhs-independent-user-data` before launching the browser, which can terminate unrelated processes whose command lines happen to match that string. This creates a denial-of-service and data-loss risk because it may kill an active browser session using the same profile without warning, potentially interrupting user work or corrupting profile state.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly advertises fully automated publishing and reading local rules/profile data, but it does not clearly warn that the skill can access local files and trigger external side effects such as posting content. In an agent setting, missing disclosure and confirmation boundaries can cause unintended publication, misuse of sensitive local configuration, or execution in contexts where the user did not realize the skill performs system- and account-impacting actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly advertises fully automated Xiaohongshu operations and reading local rules/profile data, but it does not clearly warn that the skill may access local private content and perform account-impacting actions. In an agent setting, missing disclosure and review requirements can cause unintended posting, misuse of stored account context, or privacy leakage from local files.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Documenting automatic browser-based publishing without a prominent caution or mandatory human review increases the risk that an agent will post to a live account without the user's informed approval. Because this involves a real platform account and browser automation, mistakes can directly affect reputation, violate platform rules, or trigger account sanctions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow includes saving profile data locally and publishing through a dedicated browser profile, yet the description does not warn users that local writes and browser-backed actions may occur. This weakens informed consent and can lead users to invoke the skill without understanding that persistent state and authenticated browser automation are involved.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger examples are broad enough that ordinary requests like '帮我运营小红书' or '发一篇小红书' could cause the skill to initiate a workflow that progresses toward real content creation and eventual publishing. In a skill that includes external posting automation, ambiguous invocation increases the chance of unintended activation and user actions being interpreted as consent for a higher-impact workflow.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow instructs the agent to publish through an independent browser flow but does not require a clear warning that this will perform real browser automation and may create external side effects on the user's account. Because the skill is specifically designed for end-to-end Xiaohongshu operations, the missing warning is more dangerous than in a draft-only skill: users may not realize the agent is transitioning from content assistance to live account actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The 'first publish test' directs the agent to generate and prepare/publish a post to verify the full chain works, but it does not clearly warn that this test can create a real public post on an external platform. Test-language can mislead users into thinking the action is harmless or simulated, creating a substantial risk of accidental posting, reputational harm, or account misuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script creates and reuses a persistent Chrome profile under the user's home directory, which can retain login sessions, cookies, browsing history, and other sensitive state across runs without any warning or consent flow. In the context of a publishing automation skill for Xiaohongshu, this increases the chance that later runs or other local processes access an already-authenticated account, causing unintended posting or leakage of account data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Force-killing matching browser processes without any user-visible prompt removes user control over destructive behavior and can abruptly terminate legitimate sessions. In this skill context, the dedicated browser profile reduces scope somewhat, but it is still dangerous because the profile may be in active use and abrupt termination can cause unsaved work loss or session corruption.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script automatically clicks the final publish button after filling content, causing real external-side effects on the Xiaohongshu account with no confirmation or preview gate. In an end-to-end publishing skill, this is especially dangerous because any prompt injection, bad input, wrong account context, or generated content error can immediately result in unwanted public posting, reputational harm, or policy violations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/build_xhs_post.js:92

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/run_ops_once.js:39

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/xhs_independent_publish.js:46