Huo15 Xiaohongshu

Security checks across malware telemetry and agentic risk

Overview

This is mostly a Xiaohongshu writing assistant, but it includes logged-in scraping and anti-detection browser automation that users should review carefully before installing.

Install only if you are comfortable with a skill that can use your Xiaohongshu cookies or a logged-in Chrome profile for read-only scraping and analysis. Avoid the browser_bridge, scrape, safety_check, track_post, and A/B compare features on valuable accounts unless you understand the account-risk and platform-terms implications. If Anthropic LLM support is enabled, assume your draft and brand content may be sent to that provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (60)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: time.sleep(2) # 启动 Chrome（注意：不传 --enable-automation，不设 --disable-blink-features） subprocess.Popen([ CHROME_BIN, f"--remote-debugging-port={CDP_PORT}", "--remote-allow-origins=*",
Confidence: 96% confidence
Finding: subprocess.Popen([ CHROME_BIN, f"--remote-debugging-port={CDP_PORT}", "--remote-allow-origins=*", f"--user-data-dir={CHROME_PROFILE}", "--no-first-run",

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The file includes a concrete publication workflow plus references to where publishing credentials can be found. Even though this appears aimed at maintainers rather than end users, documenting credential locations and release steps inside a broadly accessible skill artifact increases the chance of misuse, accidental disclosure, or unauthorized publishing if the file is exposed or consumed by an agent. The contradiction with the stated 'not for automated posting' scope makes this more suspicious, because it introduces operational deployment capability adjacent to the skill instructions.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill claims it is not for automated posting or account automation, yet it includes a browser bridge with CDP-driven automation and operational controls for stealthy browsing. Even if limited to read-only actions, this is still account-adjacent automation and can violate user expectations, platform rules, or internal safety boundaries.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill documents multiple stealth and anti-detection measures such as hiding automation fingerprints, mimicking human timing, minimizing CDP commands, and managing quotas/circuit breakers around detection responses. These controls are not necessary for ordinary content writing assistance and strongly suggest intent to evade platform detection, which materially raises abuse potential for scraping and policy circumvention.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The changelog documents a browser bridge that performs live Xiaohongshu access, search, note retrieval, and analysis against the platform, which materially expands the skill from writing/coaching into operational interaction with a third-party service. In context, this is risky because it is paired with anti-detection controls and session/login handling, making the mismatch between declared scope and actual capability more than a documentation issue.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: This section explicitly discusses evading platform detection using real Chrome/CDP, JA3/JA4/TLS fingerprinting, webdriver and cdc_ detection avoidance, behavior pacing, quotas, and circuit breakers. Those are classic anti-detection and account-risk-evasion mechanisms that enable stealthy scraping or automated access and are especially dangerous here because the skill’s stated purpose is content writing/coaching, not defensive browser research.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The stated philosophy claims the tool is only semi-automatic and keeps publishing in human hands, but the changelog elsewhere adds extensive live browser operations and stealth hardening. That contradiction can mislead reviewers and users about the real risk profile, reducing scrutiny around capabilities that interact with the platform in ways likely to trigger policy and abuse concerns.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The compare flow goes beyond offline drafting/analysis and performs authenticated retrieval of live Xiaohongshu post data. In this skill's stated context, that crosses into account-linked platform interaction and external data access, which increases privacy, compliance, and misuse risk if users run it without understanding that it contacts the platform and evaluates live posts.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script silently loads authentication cookies from environment variables and uses them to access account-linked Xiaohongshu content. Even if intended for convenience, implicit credential use is risky because it can surprise users, expand the blast radius of a compromised runtime, and make accidental unauthorized access more likely.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The assistant exposes a `browser` command that can start, explore, search, open notes, and analyze through a browser bridge, which exceeds a pure writing/coaching scope and erodes the manifest boundary against automation-related behavior. In this skill context, adding browser-control primitives is more dangerous because users may invoke account-adjacent actions on Xiaohongshu under the guise of content assistance.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Routing to `browser_bridge.py` gives the assistant a general browser-control capability that is not necessary for a writing assistant and can expand into web interaction on a live platform. In the context of a Xiaohongshu content skill, this capability increases the chance of unauthorized scraping, account interaction, or policy-violating automation if the downstream bridge is permissive.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file implements browser automation for a skill whose declared purpose is writing/coaching, and it is explicitly built to reuse real browser fingerprints, cookies, and login state while avoiding detection. In context, that mismatch is a strong red flag: the capability enables covert authenticated browsing and scraping outside the stated user need and increases the chance of account abuse or platform-policy evasion.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script advertises stealth features such as using a real browser fingerprint, avoiding automation markers, leveraging persistent login state, and simulating human-like activity to bypass anti-bot systems. Those are not necessary for copywriting assistance and materially increase the risk of covert scraping, account misuse, and circumvention of platform defenses.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The health check performs browser fingerprint reconnaissance by inspecting webdriver indicators, cdc markers, plugin state, canvas behavior, hardware properties, and Chrome runtime exposure. In this context that is not needed for writing assistance; it functions as an anti-detection verification step that can help maintain stealth automation against platform defenses.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script explicitly states it stores full draft snapshots and iterative coaching history under the user's home profile, which creates persistent local retention of potentially sensitive user-written content. This expands the data-handling scope from transient analysis to archival storage, increasing privacy and confidentiality risk if the machine is shared, backed up, or later compromised.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The function `llm_enrich_focus` sends draft text to an external LLM helper for rewrite suggestions, but that external transmission is not reflected in the manifest description. User draft content may contain private or unpublished material, so undisclosed third-party sharing creates a real data exposure and consent issue.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The AB validation feature transmits draft text and user-provided metadata to an external LLM service, which creates a confidentiality risk for unpublished or sensitive drafts. This is especially relevant because the tool is presented primarily as local draft storage/versioning, so users may reasonably assume content remains local unless clearly warned.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The helper exposes an autonomous tool-calling loop that allows the external model to decide which local handlers to invoke and with what inputs. In a writing-analysis skill, this expands the trust boundary unnecessarily; if unsafe handlers are registered elsewhere, prompt-injected model output could trigger unintended local actions or data access.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script can perform live Xiaohongshu scraping by accepting note IDs, loading cookies from the environment, and fetching note pages. That exceeds the declared skill scope of writing/analysis/coaching and creates a data-access capability that could pull private or account-scoped content depending on the supplied cookie, increasing privacy, compliance, and platform-abuse risk.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This script is not merely a harmless self-check: it validates authenticated scraping access to Xiaohongshu and gives explicit anti-rate-limit / anti-detection pacing guidance for repeated scripted access. In the context of a skill advertised for writing and content analysis rather than platform automation, this introduces an unjustified capability that can facilitate stealthy scraping or account-access abuse and increases legal, compliance, and account-security risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code loads a live authentication cookie from the environment and uses it to perform authenticated requests against Xiaohongshu. For a drafting/analysis skill, handling user session cookies is unnecessary and dangerous because it expands the trust boundary to credential material that can enable account access, data extraction, and evasion of normal user-facing controls.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: This script automates authenticated retrieval of Xiaohongshu note content using a session cookie, which materially expands the skill from writing/coaching into platform scraping. In the context of a skill that explicitly says it should not be used for automated posting or account automation, adding credential-backed extraction capability increases the risk of misuse, policy violations, and unauthorized data collection from a logged-in session.

Context-Inappropriate Capability

Medium

Confidence: 78% confidence
Finding: The script instructs users to export a live browser cookie into an environment variable and then uses it for authenticated requests. Handling session cookies this way exposes highly sensitive credentials to local process environments and broadens the blast radius if logs, subprocesses, shell history, or other tooling leak environment variables.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The script performs authenticated scraping of Xiaohongshu search results using a user-supplied cookie, which exceeds the skill’s declared writing/analysis scope and undermines the manifest’s explicit prohibition on automation. Even though it only fetches one page, it still operationalizes account-backed data extraction and could encourage policy-violating use, account risk, or unauthorized collection at scale if reused.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Reading authentication cookies from environment variables gives the script access to an authenticated Xiaohongshu session, a sensitive capability that is not necessary for a copywriting or content-analysis skill. This increases the blast radius of misuse because leaked logs, misconfigured environments, or downstream code changes could expose or abuse session credentials tied to a real account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal