Trust Assessment
xiaohongshu received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 4 critical, 4 high, 1 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: systemd service, Command Injection in scripts/cover.sh via unsanitized arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hi-yu/rednote/SKILL.md:303 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hi-yu/rednote/SKILL.md:343 | |
| CRITICAL | Command Injection in scripts/cover.sh via unsanitized arguments The `scripts/cover.sh` script uses several user-controlled inputs directly within shell commands without sufficient sanitization, leading to potential command injection. Specifically:
1. `cp "$USER_IMAGE_PATH" "$AI_IMG"` (line 90) is vulnerable if `USER_IMAGE_PATH` contains shell metacharacters (e.g., `$(rm -rf /)`).
2. ImageMagick commands using `$MAGICK` (e.g., line 187) pass `$TITLE`, `$BG_COLOR`, and `$TEXT_COLOR` directly. While ImageMagick is generally robust, unsanitized input to arguments like `-annotate` or color codes can sometimes be exploited.
3. The final output path `"$OUTPUT"` (line 190) is also user-controlled and directly used in the `magick -append` command, making it vulnerable to shell metacharacters. Sanitize all user-controlled variables (`USER_IMAGE_PATH`, `TITLE`, `BG_COLOR`, `TEXT_COLOR`, `OUTPUT`) before using them in shell commands. For file paths, ensure they are canonicalized and do not contain metacharacters. For ImageMagick text, consider writing the text to a temporary file and using the `@filename` syntax with `-annotate` to prevent injection. | LLM | scripts/cover.sh:90 | |
| CRITICAL | Credential Harvesting and Command Injection via XHS_AI_API_URL in scripts/generate.sh The `scripts/generate.sh` script constructs `curl` commands using the `XHS_AI_API_URL` environment variable. If an attacker can control this environment variable, they can redirect API calls, including the `Authorization: Bearer $API_KEY` header, to a malicious server. This leads to credential harvesting. Furthermore, the response from this potentially malicious server is then piped directly to `python3 -c "..."` (lines 90, 163). If the malicious server returns crafted Python code, it could be executed, leading to arbitrary command injection. Ensure that `XHS_AI_API_URL` is validated against a whitelist of trusted URLs or is configured from a secure source. Avoid piping arbitrary external output directly to `python3 -c`. Instead, use a dedicated and robust JSON parsing library or tool (like `jq`) that is less susceptible to code injection from malformed input. | LLM | scripts/generate.sh:86 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/hi-yu/rednote/SKILL.md:303 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/hi-yu/rednote/SKILL.md:343 | |
| HIGH | Data Exfiltration of ~/.openclaw/openclaw.json in SKILL.md The `SKILL.md` explicitly instructs the LLM to execute `cat ~/.openclaw/openclaw.json | jq ...` to display model information. While `jq` is used to filter the output, the `cat` command reads the entire `openclaw.json` file. This file may contain sensitive configuration data, including API keys, tokens, or other credentials, which could be exfiltrated if the `jq` filter is insufficient or bypassed, or if the LLM's output handling is compromised. Avoid directly `cat`ing sensitive configuration files. Instead, use `jq` to directly read the file and extract only the necessary, non-sensitive fields, ensuring that no sensitive data is ever read into the shell's memory or passed through pipes if not strictly necessary. For example, `jq -r '.agents.defaults.model.primary // .agents.defaults.model // "未设置"' ~/.openclaw/openclaw.json`. | LLM | SKILL.md:20 | |
| HIGH | Excessive Permissions / Privilege Escalation via sudo commands in SKILL.md The `SKILL.md` contains multiple instructions for the LLM to execute `sudo` commands for system setup and service management (e.g., `sudo apt install`, `sudo systemctl enable xvfb`, `sudo systemctl start xhs-mcp`). If the host LLM is configured to execute `sudo` commands without explicit, per-command user confirmation or a robust privilege management system, this constitutes a significant privilege escalation risk. An attacker could potentially trick the LLM into executing arbitrary commands with root privileges. The host LLM environment should implement strict controls over `sudo` execution. Each `sudo` command should require explicit user confirmation, or the skill should be designed to run with minimal necessary privileges. For installation, consider providing a separate, user-executed setup script rather than embedding `sudo` commands directly within the LLM's operational instructions. | LLM | SKILL.md:266 | |
| MEDIUM | Application-level Injection via xdotool type in SKILL.md The `SKILL.md` instructs the LLM to use `xdotool type --window "$WIN_ID" --delay 50 '<CODE>'` to input a verification code. If the `<CODE>` placeholder is directly filled with unsanitized user input, a malicious user could inject arbitrary keystrokes into the target application (e.g., the login window). This could lead to unauthorized actions within the application, such as typing malicious commands or data. Ensure that any user input used to fill the `<CODE>` placeholder is strictly sanitized to contain only expected characters (e.g., digits for a verification code). Implement input validation to reject any input containing special characters or commands that `xdotool` might interpret in an unintended way. | LLM | SKILL.md:242 |
Scan History
Embed Code
[](https://skillshield.io/report/00517ad8d99dc1af)
Powered by SkillShield