Back to skill

Security audit

Xhs Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Xiaohongshu scraping helper that saves public scraped content locally, with no hidden code or malware signals found.

Before installing, make sure Xiaohongshu scraping is allowed for your use case, avoid collecting private or sensitive personal content, be careful with logged-in session use, and periodically review or delete the saved data under ~/disk/xiaohongshu to manage privacy and disk usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes persistent storage locations and saved artifacts for scraped notes, profiles, HTML, JSON, Markdown, and downloaded media, but it does not clearly warn the user that invoking the skill will write potentially large amounts of third-party data to local disk. This can create privacy, compliance, and operational risks because users may unknowingly retain scraped personal content and consume storage in predictable directories under their home folder.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.