Security audit

Just internal test skill

Security checks across malware telemetry and agentic risk

Overview

This skill is an openly automated Xiaohongshu engagement tool, but it combines real account actions with anti-detection behavior, scheduling, multi-account support, and persistent local tracking.

Review carefully before installing. This skill is designed to automate visible social-platform engagement from your logged-in account, including comments and follows, and it includes anti-detection behavior plus scheduled unattended runs. Only use it if you accept the risk of account restrictions, public actions made on your behalf, local activity logs, and recurring automation; disable scheduling and multi-account features unless explicitly needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (33)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The design explicitly adds cron-based, unattended execution for engagement actions on a logged-in social media account. In this skill’s context, autonomous scheduling materially expands capability and risk: it enables repeated account actions without contemporaneous user review, increasing the chance of policy violations, account sanctions, and unintended actions if the page state or active account changes.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Multi-account switching broadens the skill from operating within one existing logged-in session to orchestrating activity across several accounts. In an automation-and-evasion context, that increases blast radius, makes mistakes more severe, and can facilitate scaled platform manipulation or accidental actions on the wrong account.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill contradicts itself by saying the de-duplication list is initialized empty at session start while later also describing persisted de-duplication via files and log recovery. In an automation skill that performs account actions, inconsistent state handling can cause repeated interactions on the same content, increasing detection risk and unintended actions across sessions.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This file does not merely automate browser interaction; it explicitly teaches how to reduce detection by making automated actions statistically resemble human behavior. In the context of a skill whose stated purpose is automated account nurturing, likes, follows, favorites, and comments, this is deliberate stealth guidance that enables policy evasion and abuse at scale.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill includes explicit detection of platform defenses such as captchas, frequency warnings, abnormal activity prompts, and login anomalies, then prescribes behavioral changes or pauses to continue operating safely. That goes beyond normal error handling and becomes an evasion loop designed to adapt automation around platform enforcement signals.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The text attempts to normalize the design by saying some anti-detection techniques were removed, but immediately reframes the remaining design around controllable evasion dimensions. This is dangerous because it signals conscious adaptation to operational constraints while preserving the core goal of avoiding detection.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The guidance explicitly invokes Bash to read local log files, which exceeds the stated browser-DOM-only scope and introduces filesystem access into the workflow. In this skill’s context, that broadens the agent’s privileges and can expose local data or normalize unnecessary shell use inside an automation flow that already performs external platform actions.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file expands the skill from DOM interaction into direct AI content generation and javascript_tool execution, creating a capability mismatch with the declared scope. Scope drift is dangerous because users and reviewers may believe the skill only automates clicks and typing, while it actually synthesizes public-facing content and executes auxiliary tooling, increasing behavioral and security risk.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The document states the dashboard is a self-contained static HTML with no external CDN dependencies, but the template loads Chart.js from jsDelivr. This introduces a supply-chain and privacy risk because opening the report will fetch remote JavaScript, enabling tracking, dependency tampering, or failures in restricted/offline environments. In the context of an automation skill for platform interaction, hidden external dependencies are more concerning because generated reports may be opened locally with an expectation of isolation.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill claims to operate with browser DOM actions only, but this section instructs use of a shell command to persist and query a local deduplication file. That expands the capability boundary from in-browser automation to local filesystem state manipulation, which can create unreviewed data persistence and execution-surface risks, especially in an adversarial skill context.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill claims to operate purely through browser DOM automation, but it also instructs execution of Bash commands that create and modify local files for logs and dedup state. This expands the trust boundary from in-browser interaction to host-side filesystem access, creating undisclosed side effects and increasing the chance of unauthorized local data modification or persistence.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The broader skill metadata says the skill avoids MCP tools, yet this file explicitly instructs use of MCP tab-management functions. That contradiction hides privileged capabilities from users and reviewers, making the automation more dangerous because it can create or recover tabs outside the declared operating model.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The guidance explicitly instructs the agent to browse unrelated content and visit notification or personal pages during cooldowns, which expands behavior beyond the declared scope of performing configured interaction actions. In the context of an automation skill for account nurturing, this broader account navigation increases unnecessary access to user data and account surfaces, creating privacy and misuse risk even if framed as 'human-like' behavior.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The file directs the agent to inspect the user's own profile and data as part of rest behavior, which is an additional account-access capability not necessary for rate control. Because this skill already automates social actions on a logged-in account, expanding into profile/data inspection increases exposure of personal information and account metadata without clear user need or consent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The scheduler spec expands the skill beyond browser DOM interactions into logging, reporting, and user notification workflows. In this skill’s context—automation of platform interactions designed to simulate human behavior—extra orchestration and reporting capabilities increase operational reach and data handling without being necessary for the declared purpose, creating unnecessary privilege and misuse surface.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Cron registration and management gives the skill persistence and autonomous execution, which materially exceeds a user-invoked browser interaction tool. In the context of an automation skill for likes, follows, comments, and engagement farming, scheduled execution enables repeated unattended actions that can amplify abuse, evade oversight, and continue operating after the user is no longer actively supervising it.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Automatic synchronization between configuration and runtime cron state, including deletion of tasks, introduces a privileged orchestration channel that can alter system behavior beyond the skill’s stated function. Because this skill is built to automate engagement actions at scale, config-driven task creation/removal increases the risk of stealth persistence, accidental destructive changes, and operation without meaningful user awareness.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The template loads Chart.js from a third-party CDN, which introduces external network access and a supply-chain trust dependency into a skill that claims to operate via local browser DOM actions only. If the CDN response is tampered with, blocked, or monitored, the dashboard page could execute attacker-controlled JavaScript or leak usage metadata to an external party.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The design describes unattended automation that can like, follow, comment, switch accounts, and generate reports, but does not pair those capabilities with clear, prominent user warnings about irreversible external actions and persistent state changes. Because these actions affect third-party platforms and account state, lack of explicit informed consent and runtime visibility makes accidental misuse and unauthorized changes much more likely.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad enough that normal user language could invoke an automation skill that performs real account actions like likes, follows, favorites, and comments. In this context, accidental activation is materially risky because the skill is explicitly designed to simulate human behavior and manipulate platform interactions from a logged-in session.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The README describes automated engagement actions on a logged-in Xiaohongshu account without warning users that this can affect their account state, violate platform rules, or create reputational and moderation risk. Because the skill automates engagement while attempting to appear human, the missing warning makes the operation more dangerous by obscuring the behavioral and policy consequences of use.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest uses very broad activation phrases around growth, interaction, and account activity, which can cause the automation skill to trigger in contexts where the user did not explicitly request risky automated engagement. Because this skill performs real browser actions on a logged-in social account, accidental activation materially raises the chance of unauthorized or policy-violating behavior.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The task router maps vague phrases like '开始养号' and '执行互动' directly to an automated interaction workflow without defining scope, limits, or explicit confirmation. In this context, those phrases can launch coordinated likes, follows, saves, and comments on a real user account, making unintended execution dangerous.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill explicitly directs automated social-platform engagement and persistent file writes while omitting clear warnings about account sanctions, platform policy violations, and stored activity data. The surrounding content is focused on simulating human behavior and avoiding detection, which makes the absence of user-facing risk disclosure especially dangerous and suggests the design is intended to conceal harmful consequences.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill stores note titles, note IDs, timestamps, and interaction history in persistent local files without a clear user-facing privacy notice, retention policy, or data-minimization controls. Even if the data seems operational, it is still behavioral tracking tied to a user's logged-in account activity and could expose private interests or account patterns if accessed or reused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.