小红书低粉爆款笔记

Security checks across malware telemetry and agentic risk

Overview

This skill appears to serve its stated trend-analysis purpose, but it needs review because it handles API credentials and recurring outputs in unsafe or under-scoped ways.

Install only if you trust the publisher and are comfortable providing a RedFox API key. Prefer setting the key explicitly for the current session or through a secret manager, avoid allowing the skill to scan or edit shell profile files, review generated cache/report files after use, and use the subscription feature only after confirming how to cancel it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Automatically scanning shell and PowerShell profile files to extract an API key exceeds the minimum privileges needed to perform an API-backed query. Reading these files can expose unrelated secrets, tokens, aliases, and personal configuration data, making credential overcollection and unintended disclosure more likely.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The addition of daily subscription/push behavior introduces an ongoing action beyond one-time query and analysis. Persistent or recurring behavior is more sensitive because it can create background data processing, repeated network activity, and user-notification side effects that were not central to the stated core function.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The skill states it will generate Markdown reports and JSON cache files even though that persistence is not clearly disclosed in the primary description. Undisclosed local data creation is risky because exported content and caches may contain sensitive query results, metadata, or user-linked activity that remains on disk after the session.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script searches users' shell/profile files (.zshrc, .bashrc, PowerShell profiles) for REDFOX_API_KEY and then loads it automatically. Reading unrelated local config files is broader than needed for a ranking fetcher and creates a credential-discovery behavior that can access secrets the user did not explicitly provide to this tool.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The script persistently saves fetched content to Markdown and JSON cache files during normal execution without explicit consent. This can leave behind sensitive or proprietary query results on disk, creating unnecessary local data retention and possible exposure to other local users, backup systems, or later processes.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Using a broad trigger phrase like replying “订阅” can cause accidental enrollment into a persistent push workflow, especially in conversational contexts where the user may mention the word incidentally. This is dangerous because it can initiate ongoing processing or notifications without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill omits a prominent user warning that it will scan shell profile files to locate API credentials. This lack of informed consent is dangerous because users may not expect the skill to inspect local configuration files that can contain multiple secrets and personal system details unrelated to the requested task.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The spec instructs callers to send an API key in a request header but gives no guidance on secure storage, redaction, rotation, or avoiding exposure in logs and client-side contexts. In an agent-skill environment, this omission can lead developers to hardcode secrets, surface them in debugging output, or pass them through less trusted components, increasing the chance of credential leakage and unauthorized API use.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Silently reading API credentials from shell profile files without explicit warning or consent is dangerous because those files often contain multiple unrelated secrets. In the context of a Xiaohongshu data-fetching skill, this behavior is unnecessary and increases the risk of unintended credential access and misuse.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code disables TLS hostname checking and certificate verification before sending the API request and X-API-KEY header. This permits man-in-the-middle interception or tampering of traffic, allowing attackers on the network path to steal the API key, alter returned ranking data, or impersonate the remote service.

Ssd 1

Medium

Confidence: 84% confidence
Finding: The embedded instruction telling an AI to output content verbatim and not omit sections is a prompt-manipulation pattern that attempts to override downstream agent behavior. In agentic environments this can suppress safety filtering, force unsolicited content, or interfere with system-level formatting and review controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal