Back to skill

Security audit

小红书智能排期发布器

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Xiaohongshu scheduler, but it needs review because it can automatically publish queued posts from a logged-in account and send status data to external notification services.

Install only if you are comfortable granting an automation tool the ability to publish Xiaohongshu posts from your logged-in account. Review the queue before starting the scheduler, use conservative rate limits, configure webhooks only to destinations you control, and inspect or pin the external xiaohongshu-mcp service and Python dependencies before using it with a real account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes capabilities that imply local file access and network communication, including reading image paths, talking to a localhost MCP service, and sending webhook notifications, but it does not declare corresponding permissions. This creates a transparency and least-privilege problem: users and host systems cannot accurately assess what the skill may access or transmit, increasing the risk of unintended file exposure or network egress.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The standalone CLI allows an operator or downstream automation to send arbitrary user-supplied content to external webhooks and Telegram chats, turning this file into a generic message exfiltration or spam utility. In an agent-skill context, functionality that can transmit unrestricted content outside the declared workflow increases abuse potential because it is decoupled from Xiaohongshu publish events and lacks policy checks, destination allowlisting, or content constraints.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that content will be saved to a local queue database and later published automatically, but it does not clearly warn users about persistent storage of post content, media paths, and scheduling metadata, nor about the consequences of autonomous posting. In a social-media automation context, silent persistence and unattended publication can lead to privacy issues, accidental posting, or reputational harm if queued content is outdated or incorrect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill allows Feishu or DingTalk webhook notifications without warning that publication status, task identifiers, timing, and possibly account-related metadata may be sent to third-party services outside the local environment. This is a privacy and data-sharing risk, especially because operational details about posting activity may be exposed to external endpoints controlled by the user or misconfigured to unintended recipients.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code performs a direct POST to a publishing endpoint using user-supplied title, content, and file paths with no explicit confirmation, dry-run mode, or safeguard for irreversible posting. In an agent setting, this increases the risk of unintended or unauthorized publication if upstream prompting, parameter handling, or user intent is ambiguous.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
python-dateutil>=2.8.0
Confidence
94% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
python-dateutil>=2.8.0
Confidence
97% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
python-dateutil>=2.8.0
Confidence
90% confidence
Finding
python-dateutil>=2.8.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
pyyaml

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.