xiaohongshu-search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Xiaohongshu research skill, but it asks an agent to control a logged-in Chrome session through remote debugging without enough containment guidance.

Install only if you are comfortable letting the agent control a Chrome session for Xiaohongshu research. Use a separate Chrome profile or test account, keep remote debugging local, close that browser when finished, and avoid using a profile with unrelated sensitive logins.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The invocation guidance is broad enough to encourage arbitrary searches based on free-form city/business keywords without clear scope, authorization, or data-handling limits. Because the skill operates a logged-in browser session against a live consumer platform, this can lead to overcollection, unintended browsing beyond the intended task, and use in contexts not originally approved by the user or organization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal