Back to skill

Security audit

xiaohongshu |小红书 AI 宣传图和图文笔记技能

Security checks across malware telemetry and agentic risk

Overview

This skill openly creates Xiaohongshu content and can publish it only when its publishing script is deliberately invoked with the user’s cookie.

Install only if you are comfortable providing API keys and a Xiaohongshu cookie that can act like your logged-in account. Keep XHS_COOKIE out of files and version control, avoid sensitive prompts because content is sent to external AI providers, use --dry-run before publishing, and use --public only when you intentionally want a public post.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims publishing occurs only when the user explicitly requests it, but the documented implementation relies on an operator or agent choosing to invoke a separate publish script, with no code-level enforcement of user consent at publish time. Because publish_xhs.py can perform real authenticated posting using XHS_COOKIE and does not require an explicit consent artifact or interactive confirmation, an agent orchestration mistake, prompt injection, or unsafe wrapper could cause unauthorized posting to a real social-media account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs a real publish operation to the user's Xiaohongshu account once invoked, without an interactive confirmation gate and with the public/private mode controlled entirely by CLI arguments. In an agent skill context, this is more dangerous because another component may invoke the script automatically, causing unintended posting to a real account with the user's authenticated session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.