小红书自动化 V2

Security checks across malware telemetry and agentic risk

Overview

This is a real Xiaohongshu automation skill, but it needs Review because it combines logged-in social-account actions with anti-detection browser behavior and weak safety gates.

Install only if you intentionally want automation of a real Xiaohongshu account and accept the account, platform, and browser-security risks. Use a dedicated account and isolated browser profile or VM, avoid unattended live posting, prefer the fill-only workflows followed by manual review, keep session files private, and understand that the skill uses anti-detection techniques and weakened Chrome sandbox settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code explicitly injects a stealth script via `Page.addScriptToEvaluateOnNewDocument`, which is an anti-detection capability designed to mask browser automation from the target site. In the absence of a clearly justified defensive or testing purpose, this materially increases the likelihood that the skill is intended to evade platform bot detection and automate actions that a site is trying to prevent.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The browser setup overrides the user agent and randomizes viewport/device metrics specifically to imitate a real user environment rather than exposing normal automation characteristics. Combined with the stealth injection in this module, these behaviors form a coherent evasion pattern that can help bypass anti-bot heuristics and make abusive automation harder to detect.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly advertises persistent cookie storage for saved login sessions but does not warn users about the privacy and account-security implications of storing active session credentials on disk. In an automation skill that performs login, posting, search, and social actions against a real user account, stolen or mishandled cookies could enable unauthorized account access and impersonation without requiring re-authentication.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The kill_chrome helper can terminate any process listening on the selected port, not just a Chrome instance started by this code. In a shared or multi-user environment, a mistaken or attacker-influenced port value could cause denial of service against unrelated local applications without confirmation or ownership checks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The function directly posts public comments after navigation and field interaction with no confirmation, preview, policy check, or operator acknowledgment. In an agent skill context, this enables unintended or mass automated posting if upstream inputs are wrong, manipulated, or triggered without clear user awareness, creating spam, impersonation, or reputational harm.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The reply path automates locating a comment and submitting a reply without any explicit warning or confirmation, which is especially risky because it targets an existing user's thread. If invoked with incorrect or adversarial parameters, it can post unwanted replies at scale, harass users, or create deceptive engagement under the operator's account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: When interaction state cannot be read, the code deliberately assumes the opposite state and clicks the like button anyway, causing an account-affecting action without confirming the user still intends it. In automation that controls a real account, this can produce unintended likes/unlikes and leaves no hard guarantee that the requested operation matches the account's actual prior state.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: If favorite state lookup fails, the function assumes the opposite state and clicks the collect button, which can modify the user's account without reliable state validation. Because the function still returns success even when verification fails after retry, it may hide unintended favorite/unfavorite actions and make misuse harder to detect.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The file explicitly implements browser anti-detection evasion and includes insecure Chrome launch flags such as --no-sandbox and --disable-setuid-sandbox. In the context of an agent skill, this lowers browser security boundaries and facilitates covert automated interaction with third-party sites, increasing the blast radius if hostile content is visited or the automation is abused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal