Security Audit
autoclaw-cc/xiaohongshu-skills:root
github.com/autoclaw-cc/xiaohongshu-skillsTrust Assessment
autoclaw-cc/xiaohongshu-skills:root received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 27 findings: 8 critical, 12 high, 7 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Unsafe deserialization / dynamic eval.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 11, 2026 (commit c26fa986). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings27
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | scripts/chrome_launcher.py:198 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/chrome_launcher.py:157 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/chrome_launcher.py:318 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/chrome_launcher.py:334 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/chrome_launcher.py:355 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/cli.py:99 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | scripts/cli.py:101 | |
| CRITICAL | Prompt Injection Attempt in SKILL.md The SKILL.md file contains explicit instructions intended to manipulate the host LLM's behavior, such as '所有小红书操作只能通过本项目的 `python scripts/cli.py` 完成,不得使用任何外部项目的工具'. This is a direct attempt to override the LLM's internal reasoning and enforce specific tool usage, which is a form of prompt injection. Remove explicit instructions from the skill's documentation that attempt to control the host LLM's behavior. The LLM should decide tool usage based on user intent and tool descriptions, not hardcoded directives within the skill's untrusted content. | LLM | SKILL.md:10 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | scripts/test_headless_login.py:13 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'launch_chrome'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/chrome_launcher.py:157 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_find_pids_by_port'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/chrome_launcher.py:318 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_find_pids_by_port'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/chrome_launcher.py:334 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_kill_pid'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/chrome_launcher.py:355 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function '_open_file_if_display'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/cli.py:99 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function '_open_file_if_display'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/cli.py:101 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function '<module>'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | scripts/test_headless_login.py:13 | |
| HIGH | Server-Side Request Forgery (SSRF) via Image Downloader The `ImageDownloader` class in `scripts/image_downloader.py` fetches images from user-provided URLs using `requests.Session().get()`. The `image_url` parameter is directly taken from user input (e.g., via `--images` argument in `publish_pipeline.py`). An attacker could provide an internal IP address or a URL to a sensitive internal resource, leading to Server-Side Request Forgery (SSRF). This could allow probing of internal networks or exfiltration of data to an external server. Implement strict URL validation for `image_url` to ensure it points only to trusted external domains. Consider using a whitelist of allowed domains or a URL parsing library to restrict schemes and hosts. Additionally, ensure that the `requests` session is configured to prevent redirects to internal IPs or non-HTTP/HTTPS schemes. | Static | scripts/image_downloader.py:69 | |
| HIGH | Command Injection via CHROME_BIN Environment Variable The `find_chrome` function in `scripts/chrome_launcher.py` prioritizes the `CHROME_BIN` environment variable to locate the Chrome executable. If an attacker can control this environment variable, they could set it to point to an arbitrary malicious executable. When `launch_chrome` calls `subprocess.Popen` with this path, it would result in arbitrary command execution. Avoid relying solely on environment variables for executable paths, especially for critical binaries. If `CHROME_BIN` must be supported, validate its content to ensure it points to a legitimate Chrome/Chromium executable. Alternatively, use a more robust method for locating Chrome that is less susceptible to environment variable manipulation. | Static | scripts/chrome_launcher.py:68 | |
| HIGH | Path Traversal in Chrome User Data Directory The `user_data_dir` for Chrome is constructed using `account_manager.get_profile_dir(name)`, where `name` comes from the user-controlled `--account` argument in `cli.py`. If an attacker provides an account name containing path traversal sequences (e.g., `../../malicious_dir`), Chrome's profile data could be written to an arbitrary location on the filesystem. This could lead to overwriting system files, creating malicious configurations, or exfiltrating sensitive data. Sanitize the `account` name parameter to prevent path traversal. Ensure that `account` names only contain alphanumeric characters, hyphens, and underscores, and do not allow characters like `/`, `\`, or `.` that could be used for directory traversal. Use `os.path.normpath` and check if the resulting path is still within the intended base directory. | Static | scripts/account_manager.py:125 | |
| HIGH | Arbitrary File Write/Data Exfiltration via Cookie Path Traversal Similar to the Chrome user data directory, the `get_cookies_file_path` function in `scripts/xhs/cookies.py` uses the user-controlled `account` name to construct the path for saving cookies. If an attacker provides an account name with path traversal sequences (e.g., `../../sensitive_location`), the skill could write the browser's cookies (which contain session credentials) to an arbitrary location on the filesystem. This could lead to data exfiltration or unauthorized access. Sanitize the `account` name parameter to prevent path traversal. Ensure that `account` names only contain alphanumeric characters, hyphens, and underscores, and do not allow characters like `/`, `\`, or `.` that could be used for directory traversal. Use `os.path.normpath` and check if the resulting path is still within the intended base directory. | Static | scripts/xhs/cookies.py:10 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/chrome_launcher.py:11 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/chrome_launcher.py:196 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/image_downloader.py:11 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/xhs/cdp.py:14 | |
| MEDIUM | Suspicious import: http.client Import of 'http.client' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | scripts/xhs/login.py:153 | |
| MEDIUM | Unpinned Python dependency version Dependency 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | pyproject.toml | |
| MEDIUM | Excessive Permissions: Full Browser Control via CDP The skill utilizes the Chrome DevTools Protocol (CDP) to gain full control over a Chrome browser instance. This includes capabilities like navigating to arbitrary URLs, executing arbitrary JavaScript (`Page.evaluate`), reading DOM content, and interacting with forms. While CDP is powerful for automation, this level of control is inherently high-risk. If any user input is not perfectly sanitized before being passed to CDP methods (especially `Page.evaluate`), it could lead to severe vulnerabilities like arbitrary code execution within the browser context, data exfiltration, or malicious navigation. Implement rigorous input validation and sanitization for all user-controlled data passed to CDP methods, especially `Page.evaluate`, `Page.evaluate_function`, and `Page.navigate`. Ensure that all strings are properly escaped (e.g., using `json.dumps` for JavaScript injection) and URLs are strictly whitelisted or validated. Regularly audit the usage of CDP methods to ensure no new attack vectors are introduced. | Static | scripts/xhs/cdp.py:86 |
Scan History
Embed Code
[](https://skillshield.io/report/cb98682597960a4a)
Powered by SkillShield