小红书舆情爬虫

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Xiaohongshu scraping and sentiment-analysis skill with expected account, crawling, and local data-retention risks that users should manage carefully.

Before installing, inspect any external crawler repository before running it, preferably pin to a known commit and use a virtual environment. Use only an account you are comfortable using for scraping, keep crawl rates low, follow Xiaohongshu rules and applicable privacy law, and minimize, secure, and delete exported datasets when no longer needed because they may contain personal or sensitive user-generated content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly describes collecting and storing comments, IP region, and downloaded images/videos, but only includes generic guidance like 'for learning' and anti-ban notes. It does not clearly warn users that these fields may contain personal or sensitive data, creating privacy, compliance, and misuse risks when operators collect, retain, or export Xiaohongshu user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal