Trust Assessment
xiaohongshu received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 2 critical, 5 high, 1 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: systemd service, Unpinned third-party binary download.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hi-yu/xhs/SKILL.md:303 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hi-yu/xhs/SKILL.md:343 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/hi-yu/xhs/SKILL.md:303 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/hi-yu/xhs/SKILL.md:343 | |
| HIGH | Unpinned third-party binary download The skill downloads the 'xiaohongshu-mcp' binary from a third-party GitHub repository using 'latest/download' without specifying a fixed version or performing any checksum verification. This makes the skill vulnerable to supply chain attacks if the upstream repository is compromised or a malicious update is pushed. An attacker could replace the binary with a malicious version, leading to arbitrary code execution on the host system. Pin the downloaded binary to a specific version and include a checksum (e.g., SHA256) verification step. Alternatively, consider building from source or using a trusted package manager if available. | LLM | SKILL.md:309 | |
| HIGH | Excessive screen capture permissions The command `import -window root /tmp/xhs_qr.png` captures the entire root window of the Xvfb display. This grants excessive permissions for screen capture and poses a significant data exfiltration risk. Any sensitive information displayed by other applications running within the same Xvfb session could be captured and potentially exposed. If screen capture is necessary, restrict it to the specific application window (e.g., using `xdotool getactivewindow` and then `import -window <window_id>`) or use a more targeted method that only captures the QR code itself, rather than the entire display. | LLM | SKILL.md:249 | |
| HIGH | Environment variable for MCP URL allows redirection The `MCP_URL` for the Xiaohongshu MCP service can be overridden by the `XHS_MCP_URL` environment variable. If an attacker can control this environment variable (e.g., through a prompt injection attack that sets environment variables or by compromising the execution environment), all subsequent `curl` calls to the MCP service could be redirected to an attacker-controlled server. This could lead to credential harvesting (e.g., session IDs, API keys if passed to MCP) and data exfiltration. Restrict the ability to override `MCP_URL` via environment variables, or implement strict validation of the URL to ensure it points only to trusted local endpoints. Ensure that no sensitive information is passed to the MCP service that could be exfiltrated if the URL is redirected. | LLM | SKILL.md:139 | |
| MEDIUM | Arbitrary local file access via MCP tools The `publish_content` and `publish_with_video` tools accept `images` (an array of local absolute paths) and `video` (a local absolute path) as parameters. This means the MCP service, when invoked, will attempt to access arbitrary files on the local filesystem based on user-provided paths. If the LLM is tricked into providing malicious file paths, or if the MCP service itself has vulnerabilities, this could lead to unauthorized file access, modification, or deletion on the host system. Implement strict validation and sanitization of all file paths passed to the MCP service. Consider restricting file access to a designated sandbox directory or using a file picker mechanism instead of direct path input. The MCP service should also implement robust input validation and error handling for file operations. | LLM | SKILL.md:190 | |
| LOW | Direct insertion of user input into ImageMagick caption The `scripts/cover.sh` script directly inserts the user-provided title (`$TITLE`) into the ImageMagick `caption:"${TITLE}"` argument. While ImageMagick's caption handling is generally robust against shell injection, direct insertion of untrusted input into command-line arguments can sometimes expose vulnerabilities in the underlying tool's parsing logic (e.g., format string bugs or specific escape sequences). For maximum security, consider writing the user-provided title to a temporary file and then using ImageMagick's `@filename` syntax (e.g., `caption:@/tmp/title.txt`) to pass the content, which avoids direct command-line argument parsing of the title string. | LLM | scripts/cover.sh:169 | |
| LOW | Direct insertion of user input into xdotool type command The command `xdotool type --window "$WIN_ID" --delay 50 '<CODE>'` directly inserts a user-provided verification code (`<CODE>`) into the `xdotool type` command. While verification codes are typically numeric, if `xdotool` interprets special characters (e.g., `Return`, `Tab`, `Escape`, or specific sequences), a malicious user could potentially inject commands or manipulate the GUI by providing a specially crafted code. `xdotool type` is designed to simulate literal key presses, but it's still a direct insertion of untrusted input into a command. Implement strict input validation for the verification code, ensuring it contains only expected characters (e.g., digits). If possible, use a method that does not involve direct command-line insertion of untrusted input for GUI automation. | LLM | SKILL.md:269 |
Scan History
Embed Code
[](https://skillshield.io/report/9fb85eda8607de14)
Powered by SkillShield