Back to skill

Security audit

小红书自动发布

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises, but it can publish to a real Xiaohongshu account through a logged-in Chrome session without a final confirmation step.

Install only if you intend this skill to publish directly to a live Xiaohongshu account. Review the dated video and title file before invoking it, use a dedicated Chrome profile if possible, close Chrome debugging when finished, and avoid relying on broad trigger phrases for account-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code starts or attaches to Chrome with the remote debugging port enabled and then connects via Puppeteer, which grants broad control over the user's browser context, cookies, tabs, and authenticated sessions. In this skill, that access is not narrowly scoped and is used against an existing profile, making it dangerous if run without explicit informed consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script uses a persistent logged-in browser session to open the Xiaohongshu creator portal, upload content, fill fields, and publish a post. Automating a high-impact account action like content publication without interactive approval or clear authorization can lead to unauthorized posting, reputation damage, and misuse of the account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill automates posting to a live Xiaohongshu account but the description does not clearly warn the user that invoking it will perform a real external publish action. This increases the risk of accidental posting, reputational damage, and unintended disclosure of content because users may treat it as a drafting or preview aid rather than a live publication workflow.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code programmatically clicks the publish button and retries until it succeeds, but there is no final user confirmation, dry-run mode, or safety interlock. Because publishing is an externally visible, irreversible account action, this creates a strong risk of accidental or unauthorized posting.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script launches Chrome with remote debugging and relies on the user's existing logged-in profile, but it does not clearly disclose that it will access persistent browser sessions and authenticated account state. This weakens user awareness and consent around sensitive session reuse and browser-level control.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad natural-language commands such as '发小红书' and '发布笔记', which can overlap with ordinary user requests and cause the skill to activate unexpectedly. Because this skill performs automatic social-media publishing, accidental invocation could lead to unintended posts, privacy leakage, or unauthorized account actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest explicitly describes automatic publishing to Xiaohongshu but does not warn users that the skill can perform external, account-affecting actions. In this context, missing safety disclosure is risky because the skill also references browser debugging mode and cookie-based access, increasing the chance of unintended posting or misuse of authenticated sessions.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
skill.js:9