Security audit

Temp Xhs Skill

Security checks across malware telemetry and agentic risk

Overview

This skill fits Xiaohongshu publishing work, but it gives an agent broad control over a logged-in social account, including auto-replies and local retention of drafts and comment records, without enough user-control boundaries.

Install only if you are comfortable letting an agent operate a logged-in Xiaohongshu account. Use a dedicated browser profile, require explicit preview and approval before every publish, edit, delete, scheduled post, or comment reply, and review or disable the local draft, schedule, and replied-comment record files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill expands from user-initiated publishing/management into autonomous cron-driven comment monitoring and replying, which changes the trust and risk model significantly. This can cause unsupervised external actions on a live social account, including inappropriate replies, spam-like behavior, or policy-violating interactions without explicit per-action user approval.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger condition is overly broad: 'when needing to publish or manage Xiaohongshu notes' could match many loosely related requests and cause the skill to activate unexpectedly. Because the skill can post content, manage drafts, delete notes, and reply to comments, accidental invocation could lead to unintended account actions or privacy-impacting data access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs saving draft content to a local file without prominently informing the user that their unpublished text may be persistently stored outside the platform. Drafts can contain sensitive personal, business, or embargoed content, so silent local persistence increases confidentiality and retention risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The scheduled publishing queue is stored in a local file without clear disclosure that publication plans and related metadata will persist on disk. Such records can reveal campaign timing, account strategy, or unpublished content details and may be exposed to other local users or processes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill requires recording replied comment IDs or nicknames locally but does not warn that interaction data from third parties will be persistently stored. This creates privacy and compliance risk because user identifiers and communication history may be retained unnecessarily and without transparency.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.