Security audit

小红书爆款笔记生成器

Security checks across malware telemetry and agentic risk

Overview

This is a small Xiaohongshu post generator that uses DeepSeek for content generation, with privacy and API-key considerations but no hidden or destructive behavior found.

Install only if you are comfortable sending the requested topic and writing details to DeepSeek and using a local DeepSeek API key for that request. Avoid entering sensitive, confidential, regulated, or client-proprietary material unless external AI processing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation example is very broad: '写一篇关于 [产品/主题] 的小红书笔记' can match a wide range of ordinary user requests without clear scoping, consent, or namespace constraints. This increases the chance of unintended activation or conflict with other writing-related skills, causing the agent to route content generation requests into this skill unexpectedly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends user-supplied topic content to a third-party API (DeepSeek) and also loads an API key from local configuration, but it provides no disclosure, consent flow, or warning that prompts leave the local environment. This creates a privacy and data-handling risk because users may unknowingly submit sensitive or proprietary content to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.