Back to skill

Security audit

小红书违禁词检测

Security checks across malware telemetry and agentic risk

Overview

The skill performs its advertised prohibited-word checks, but it reads shell profile files for an API key and sends user/file/webpage content to an external service with incomplete disclosure.

Install only if you are comfortable sending checked copy, extracted document text, and fetched webpage text to RedFoxHub. Prefer setting REDFOX_API_KEY only as an environment variable, avoid storing it in shell profile files with other secrets, and do not submit confidential, regulated, or private internal content unless that external processing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Scanning ~/.zshrc, ~/.bashrc, ~/.bash_profile, ~/.profile, and ~/.zprofile to locate an API key accesses broader local user data than is needed for prohibited-word detection. Shell init files often contain unrelated secrets, tokens, aliases, and personal configuration, so this behavior unnecessarily expands the attack surface and may expose sensitive information.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The workflow explicitly sends user-provided text, file-derived content, and webpage-extracted content to an external HTTPS backend for analysis, but this data flow is not reflected in the skill description shown to users. That creates a meaningful transparency and privacy issue: users may provide sensitive marketing copy, unpublished documents, or webpage contents without understanding they will be transmitted off-platform to a third party.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The workflow authorizes scanning user shell configuration files to recover an API key, which exceeds the narrow needs of a prohibited-word checking skill and expands access into unrelated local secrets/configuration. Even if intended as convenience, instructing an agent to inspect ~/.zshrc, ~/.bashrc, and similar files creates unnecessary exposure to credentials or other sensitive data stored alongside the target variable.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The workflow requires writing processed user content to a local text file and returning it to the user, but this persistence behavior is not disclosed in the manifest description. While the file is meant to help the user download results, it still creates local data at rest and may retain sensitive or proprietary text longer than users expect.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads the user's shell startup files to recover an API key if the environment variable is absent. For a prohibited-word checker, inspecting unrelated shell config files exceeds expected capability and can expose secrets or normalize broader local secret harvesting behavior, especially because these files may contain other credentials and sensitive configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that uploaded documents, images, and URLs are 'read automatically' and checked, but it does not clearly disclose that the content may be sent to an external service tied to the RedFoxHub API key. This creates a meaningful privacy and data-handling risk because users may submit sensitive files, screenshots, or internal URLs without informed consent about third-party transmission and processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages users to upload documents, images, and URLs for automatic text extraction, but it does not clearly disclose what content is transmitted to third-party services, how long it is retained, or what sensitive data should not be submitted. This can lead users to expose private or regulated content without informed consent, especially because OCR and webpage fetching can ingest more data than the user expects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises data security and HTTPS transport, but it does not clearly tell users that submitted text, uploaded documents, extracted webpage text, and possibly OCR-derived image text are sent to a third-party API for analysis. This omission undermines informed consent and may cause users to transmit confidential marketing copy, internal documents, or private page content to an external service unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file upload and URL-fetch features can pull in sensitive local or remote content, yet the documentation does not clearly warn that extracted content may be processed externally. In this context, the danger is elevated because users may upload internal documents or supply authenticated/internal URLs expecting only local parsing, while the resulting text is then sent onward for analysis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends extracted user content to a third-party API for analysis, but there is no explicit user-facing disclosure or consent mechanism at the point of transmission. Because inputs may come from local files or web pages and may contain sensitive text, this creates a real confidentiality and privacy risk in the context of a content-checking skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool silently reads shell configuration files to discover credentials without warning the user. Even if the immediate goal is only to retrieve REDFOX_API_KEY, accessing shell initialization files is security-sensitive behavior and can surprise users, especially in a skill whose stated purpose is prohibited-word detection rather than secret discovery.

Ssd 3

Medium
Confidence
99% confidence
Finding
The instructions explicitly direct the agent to read shell profile files to extract API credentials, which is a secret-access pattern unrelated to the core content-checking function and risks exposing more than the intended token. Shell profiles often contain multiple secrets, aliases, private paths, and operational details; granting the skill authority to inspect them materially increases the blast radius of compromise or misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.