Back to skill

Security audit

Maxhub Xiaohongshu

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Xiaohongshu data skill, but it needs review because it handles profile, favorites, group, and session-like data with broad routing and incomplete guardrails.

Install only if you intend to route Xiaohongshu searches, note IDs, user IDs, share links, and related profile/comment data through MaxHub at https://www.aconfig.cn. Keep MAXHUB_API_KEY private, do not provide Xiaohongshu cookies or session credentials, require explicit Xiaohongshu/RED intent before calling it, and use extra care before looking up a person’s profile, favorites, commenters, or groups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The privacy notice says returned comments, bullet chats, activities, private messages, and contacts may contain personal information or sensitive UGC, which expands the apparent data scope far beyond the stated 'public notes and user data' capability. Even if the API is intended to be read-only, documenting handling of private messages or contacts normalizes collection of highly sensitive content and can encourage over-collection or misuse of personal data.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation explicitly describes `session_id` as a sensitive login credential, yet recommends carrying it forward across pagination requests in normal agent chains. That creates a real risk of unnecessary credential propagation, logging, prompt leakage, or reuse outside the minimal scope needed for a single request, especially in an agent ecosystem where intermediate values may be surfaced or stored.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented `search_groups` capability expands the skill from public note/user analytics into group-chat discovery, which is a materially different and more privacy-sensitive use case than the manifest suggests. Even if read-only, enabling agents to search for groups can facilitate discovery, profiling, or targeting of semi-private communities without clear user-need or scope justification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example prompt triggers are extremely generic terms like '笔记', '详情', 'comments', '用户', and 'profile', which can overlap with many ordinary user requests and cause the agent to invoke this skill unintentionally. In a skill that accesses external APIs and returns user, note, comment, and recommendation data, unintended invocation can lead to unnecessary third-party data access, privacy overcollection, or incorrect routing of user requests.

Vague Triggers

Medium
Confidence
87% confidence
Finding
README 中给出的触发词如“笔记、详情、评论、用户、搜索、热榜、商品、话题”等都非常宽泛,和普通对话高频词高度重叠,容易让 agent 在非预期场景下误触发该 skill。该 skill 会向外部域名 https://www.aconfig.cn 发起请求,即使标注为 read-only,误触发仍可能导致不必要的数据外发、查询行为或基于用户上下文的第三方请求。

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The feature description emphasizes rapid collection, profiling, and large-scale analysis of notes, comments, and user data for KOL research and competitive monitoring before presenting privacy constraints. That framing can encourage broad scraping or profiling behavior without front-loading authorization, proportionality, and platform-policy limits, increasing the chance of privacy-invasive use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The use-case section explicitly promotes KOL data collection, activity evaluation, and preference inference from posted and favorited notes, but does not repeat any concrete authorization or privacy safeguards in that section. In context, that makes sensitive profiling workflows feel endorsed as routine operational uses, which raises misuse risk even if the underlying API is read-only.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documentation states that all requests are sent to https://www.aconfig.cn and encourages passing note_id, user_id, keywords, share links, comments, and retrieved profile/content data through chained calls, but it does not clearly warn users that these identifiers and social-content queries are transmitted to an external third-party service. This creates a transparency and privacy risk: users or downstream agents may unknowingly send personal or sensitive profiling inputs off-platform, especially when analyzing commenters, authors, and user profiles across linked endpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section documents reuse of a sensitive session identifier without clear privacy handling requirements, despite labeling it as sensitive. In practice, agents may echo, persist, or chain this value across steps, increasing the chance of session leakage or misuse if transcripts, telemetry, or downstream tools are exposed.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list contains short, generic phrases such as "笔记详情" that can match many ordinary user requests and route the agent into the wrong recipe. In a chaining-oriented skill, misrouting can cause unnecessary downstream calls and broader-than-intended collection of note, comment, or user data from the external API.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Multiple recipes reuse the same or overlapping intent phrases, creating ambiguous routing conditions despite the documented longest-match and tie-break rules. An attacker or even a normal user can exploit this ambiguity to steer the agent into unintended API calls, especially where one recipe expands into comments, replies, author profiles, or additional cross-domain lookups.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase “推荐” is overly broad for routing into the homefeed/recommendation recipe, so ordinary user requests containing that word could unintentionally invoke this skill and fetch Xiaohongshu recommendation data. In an agent setting, ambiguous triggers can cause incorrect tool execution, unnecessary third-party data access, and disclosure of external content the user did not clearly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The share-link recipe accepts share_text containing an xhslink.com link and resolves it directly without a user-facing warning or confirmation step. Resolving external share links can expose the agent to untrusted input, trigger unintended network access to attacker-controlled or tracking links, and cause the skill to retrieve content the user may not realize is being opened.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recipes enable retrieval of another user’s profile, posted notes, and public favorites from user-supplied identifiers or share links, but the file does not prominently warn about privacy implications or require the agent to verify authorization and data-minimization before disclosure. In a social-media analysis skill, this omission increases the risk of casual surveillance, profiling, and over-collection of personal data even if the underlying endpoints are nominally public/read-only.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
The file instructs use of a bearer API key in the Authorization header but provides no handling guidance, despite this being sensitive authentication material. In agent settings, documentation that normalizes passing secrets without warning can lead to accidental logging, prompt leakage, replay, or exposure in tool traces.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly labels `search_session_id` as a sensitive login credential and instructs agents to reuse it for pagination, but gives no warning about secrecy, retention, or output handling. Reusing session-linked credentials across calls increases the chance they will be surfaced in logs, cached in memory, or exposed to downstream steps, enabling session abuse or user tracking.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This endpoint again documents `search_session_id` as a sensitive login credential without any privacy or security handling constraints. Repetition across endpoints suggests the skill expects agents to pass around live session material as normal parameters, which materially raises the risk of credential leakage and unauthorized reuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports retrieving another user's profile, posted notes, and especially public favorite-note lists, but it does not include clear privacy guardrails beyond a brief note that private favorites are not visible. Even when data is technically public, aggregating and chaining profile, activity, and favorites endpoints can enable user profiling, behavioral inference, and collection of personal data beyond a typical end user's expectation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.