Back to skill

Security audit

小红书内容自动化工作流

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only workflow for drafting Xiaohongshu posts, with optional publishing delegated to separate browser automation rather than implemented in the skill itself.

Safe to install for drafting and formatting Xiaohongshu posts. Before using any auto-publish path, review the separate browser automation and Xiaohongshu skills, confirm each post manually, and only grant logged-in account/session access when you intend the agent to act on that account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states that automatic publishing can be performed through browser automation, but it does not warn users about the risks of triggering real posting actions on a live social-media account. In this context, the omission is meaningful because publishing can create irreversible external side effects such as accidental posts, account flags, spam behavior, or reputational damage.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.