Back to skill

Security audit

小红书每日爆款笔记推荐

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide Xiaohongshu trend reports as advertised, but it handles API keys and persistent settings too broadly for automatic install/use without review.

Install only if you are comfortable giving this skill a RedFox API key and sending Xiaohongshu query metadata to redfox.hk. Prefer a temporary environment variable or a secret manager instead of letting an agent edit ~/.zshrc, ~/.bashrc, or Windows user environment settings. Treat generated HTML as network-active because it loads CDN scripts, and enable daily subscription only if you understand how to stop it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document instructs the agent to help write the API key into shell startup files or Windows user environment settings. That crosses from answering queries into modifying persistent user configuration, which can expose secrets in plaintext, affect unrelated sessions, and normalize dangerous secret-handling practices.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The workflow instructs the agent to permanently modify the user's shell profile or Windows user environment to persist an API key. This exceeds the minimum privileges needed for a one-time data query and can cause long-lived secret exposure to unrelated sessions, tools, or future skills, especially if the agent performs the change on the user's behalf without clear consent and security warnings.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script searches multiple shell profile files for REDFOX_API_KEY, which expands its access beyond what is necessary to generate HTML from trend data. Reading unrelated user dotfiles can expose secrets unexpectedly and violates least-privilege expectations, especially in an agent skill context where users may not realize local files are being inspected.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The generated HTML loads third-party JavaScript from public CDNs, so opening the exported file causes the browser to fetch and execute remote code outside the skill's core analytics function. This introduces supply-chain and privacy risk because those external scripts can change over time and may observe user metadata when the report is opened.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads shell startup files such as ~/.zshrc and ~/.bashrc to extract REDFOX_API_KEY, which expands its access beyond the stated purpose of fetching ranking data. Those files often contain unrelated secrets and personal configuration, so this behavior increases the skill's sensitivity and the risk of unintended credential exposure or overcollection.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The script can write fetched data to an arbitrary path supplied by --output_json, which exceeds a pure read/analyze behavior and can modify local files. While this is not inherently malicious and requires user-supplied input, it can overwrite unintended files if invoked in an unsafe context or by a higher-privilege wrapper.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README instructs users to interact using unrestricted natural language, without defining narrow trigger boundaries or constraining what actions the skill should take. In agent environments, broad invocation guidance can cause accidental activation on common requests and increase the chance the skill is used in unintended contexts or with ambiguous user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example phrase is broad enough to overlap with normal conversational requests about trending content, which may cause the skill to trigger when a user did not specifically intend to use this tool. That increases the risk of misrouting prompts, unexpected external API calls, or unnecessary exposure of data returned by the skill.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README advertises a daily 19:30 subscription push but does not clearly warn users that enabling it creates ongoing automated notifications until canceled. In a conversational agent setting, this can lead to consent ambiguity, surprise recurring messages, and unintended persistent behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Overly broad trigger phrases increase the risk of accidental invocation during ordinary conversation. In this skill, accidental invocation could lead to unintended network calls, local file writes, or use of stored API credentials without the user clearly intending to run the skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The broad natural-language query examples overlap with normal discussion about trends or content ideas, making unintended triggering plausible. Because the skill can access secrets and external services, ambiguous activation expands the chance of unconsented actions and data exposure.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Ambiguous commands like '每日爆款笔记' lack sufficient scope constraints and may fire the skill when the user is merely discussing the topic. Given the skill's side effects—API usage, cache creation, and possible HTML generation—this ambiguity materially increases the risk of unintended operations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The workflow tells the agent to help set a permanent environment variable containing a secret, yet provides insufficient warning about persistence, cross-session exposure, shell-history leakage, and the risk of other tools reading that value. In this skill context, the action is more dangerous because the core task is simple data retrieval and does not justify privileged, persistent system configuration changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads credential material from shell startup files without any user-facing warning, which is sensitive local data access not obvious from the skill description. In a skill ecosystem, undisclosed inspection of user dotfiles is risky because those files commonly contain other secrets and configuration beyond the needed API key.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends the user's API key plus query parameters to an external service without a clear warning in the user-facing behavior. Even though the transmission is functionally necessary, lack of disclosure is a security and privacy issue because users may not realize their credential and request metadata are being shared with a third-party endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Reading shell configuration files without clear user notice accesses sensitive local credential material unrelated to the visible task. In the context of an agent skill, this is more dangerous because users may expect only network fetching, not inspection of personal startup files that can contain many secrets besides the target API key.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/gen_xhs_html.py:194

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/xhs_daily_fetcher.py:173