Trust Assessment
xiaohongshu-scraper received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 54 findings: 22 critical, 21 high, 11 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings54
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/SKILL.md:64 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/SKILL.md:69 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs-api-service.sh:36 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs-api-service.sh:37 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs-api-service.sh:65 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs-api-service.sh:66 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_api_client.py:26 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_scraper.py:12 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/extract_chrome_cookies.py:75 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/extract_chrome_cookies.py:99 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_api.py:258 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_api.py:277 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_chrome.py:91 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_v3.py:107 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_download.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_download.py:102 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch.py:222 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch_stealth.py:89 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_scraper.py:51 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_scraper.py:82 | |
| CRITICAL | Command Injection via OCR Swift Script Multiple Python scripts define and use an `ocr_image_vision` or `ocr_image` function that executes a Swift script via `subprocess.run(['swift', swift_file, image_path])`. If an attacker can control the `image_path` (e.g., by crafting a malicious filename for a downloaded image), they could inject arbitrary shell commands. The `image_path` is derived from downloaded files, whose names can be influenced by user-controlled input (e.g., note titles). Ensure that `image_path` is strictly sanitized to prevent shell metacharacters. Consider using a safer method for OCR that does not involve executing external scripts with user-influenced arguments, or validate filenames rigorously. | LLM | scripts/legacy/fetch_note.py:100 | |
| CRITICAL | Command Injection via External Executable in xhs_download.py The `scripts/legacy/xhs_download.py` script executes an external executable (`XHS_EXECUTABLE`) using `subprocess.run` with a user-provided URL as an argument. If the `XHS_EXECUTABLE` itself is a shell script, or if it processes its arguments unsafely, a maliciously crafted URL could lead to arbitrary command execution on the host system. Thoroughly sanitize the `url` argument before passing it to the external executable. Ideally, avoid executing external binaries with user-controlled arguments. If necessary, ensure the external executable is robust against argument injection. | LLM | scripts/legacy/xhs_download.py:69 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'decrypt_chrome_cookies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/extract_chrome_cookies.py:75 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'extract_with_browser_cookie3'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/extract_chrome_cookies.py:99 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_image' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note.py:36 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image_vision'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_api.py:258 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image_tesseract'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_api.py:277 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_image' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_api.py:212 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image_vision'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_chrome.py:91 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_image' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_chrome.py:53 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_image' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_v2.py:38 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image_vision'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_v3.py:107 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_image' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_v3.py:63 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image_vision'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_download.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'download_note'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_download.py:102 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image_vision'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch.py:222 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_file' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch.py:183 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image_vision'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch_stealth.py:89 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_file' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch_stealth.py:58 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'ocr_image'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_scraper.py:51 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'scrape_note'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_scraper.py:82 | |
| HIGH | Credential Harvesting and Data Exfiltration (Chrome Cookies & Keychain) The `extract_chrome_cookies.py` and `login.py` scripts are explicitly designed to extract sensitive user data. `extract_chrome_cookies.py` attempts to retrieve Chrome's encryption key from macOS Keychain using the `security` command and accesses Chrome's cookie database directly. Both scripts extract all browser cookies and save them to local files (`~/.xiaohongshu-scraper/cookies.json`, `cookie_string.txt`), posing a significant credential harvesting risk. Avoid directly accessing browser cookie databases or system keychains. If authentication is required, use secure, token-based methods or prompt the user for credentials directly without storing them persistently in plain text or easily accessible files. | LLM | scripts/legacy/extract_chrome_cookies.py:15 | |
| HIGH | Excessive Permissions via Chrome DevTools Protocol The `scripts/legacy/fetch_note_chrome.py` script connects to a Chrome instance via the DevTools Protocol (`http://localhost:9222`). This grants full programmatic control over the browser, including access to all browsing data (cookies, local storage, history), and the ability to execute arbitrary JavaScript in any tab. This level of access is excessive and could be exploited if the skill processes untrusted input. Avoid connecting to browser DevTools Protocol with skills that process untrusted input. If remote debugging is necessary, ensure it's only enabled in highly controlled, isolated environments and that the skill's execution context is strictly sandboxed. | LLM | scripts/legacy/fetch_note_chrome.py:86 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note.py:15 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_api.py:15 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_chrome.py:19 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_v2.py:15 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/fetch_note_v3.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/legacy/xhs_fetch_stealth.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_api_client.py:22 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ty-teo/xiaohongshu-scraper/scripts/xhs_scraper.py:7 | |
| MEDIUM | Unpinned Dependency Installation The `scripts/legacy/extract_chrome_cookies.py` script dynamically installs the `browser-cookie3` package using `pip install` without specifying a version. This makes the skill vulnerable to supply chain attacks, such as dependency confusion or malicious package updates, where a compromised version of the package could be installed. Pin all dependencies to specific versions in a `requirements.txt` file (e.g., `browser-cookie3==X.Y.Z`) and install from that file. Avoid dynamic `pip install` calls within skill code. | LLM | scripts/legacy/extract_chrome_cookies.py:80 | |
| MEDIUM | Server-Side Request Forgery (SSRF) via User-Controlled URLs Multiple scripts accept a user-provided URL and then navigate a browser to it (`page.goto(url)`) or make an HTTP request to it (`requests.get(url)`). This could be exploited for Server-Side Request Forgery (SSRF) to probe internal networks, access local files (e.g., `file:///etc/passwd`), or interact with internal services if the environment allows it and the URL is not properly validated. Implement strict URL validation to ensure that only expected domains and schemes are allowed. Consider using a whitelist approach for URLs. Prevent access to `file://`, `localhost`, and internal IP ranges. | LLM | scripts/legacy/fetch_note.py:56 |
Scan History
Embed Code
[](https://skillshield.io/report/becc25caacf5edd0)
Powered by SkillShield