Back to skill

Security audit

Xiaohongshu CN

Security checks across malware telemetry and agentic risk

Overview

This is a Xiaohongshu research guide, but users should treat its third-party scraping and packet-capture suggestions carefully.

Before using this skill, review any linked crawler separately, pin a known-safe commit if possible, and run it in a sandbox or disposable environment. Avoid packet capture or reverse engineering unless you understand the legal, privacy, account, and credential risks, and keep any collection low-rate and compliant with the platform’s rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to use web scraping, mini-program packet capture, and reverse-engineering style access to a platform that does not provide a public API, but it provides only minimal caution about rate limits and account bans. That guidance can normalize legally sensitive or privacy-impacting collection behavior and expose users to credential, device, or third-party code risk from unvetted scraping tools.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.