小红书七日爆款笔记

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a Xiaohongshu trend/reporting helper, but it asks for persistent credential handling and recurring push behavior that need careful review before installation.

Install only if you are comfortable reviewing and tightening the setup first. Prefer a skill-scoped secret store or explicit environment variable over writing keys into shell profiles, remove any code that searches profile files for secrets, and require a clear confirmation before generating previews or creating any recurring daily push.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to persistently modify shell startup files or Windows user environment variables to install an API key globally. Persisting secrets into profile files expands the blast radius beyond this skill, can expose credentials to other tools or sessions, and exceeds the minimally necessary action for a one-purpose analytics skill.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The workflow expands a data-query/analysis skill into proactive side effects: generating and previewing HTML artifacts and enabling subscription flows. These actions go beyond answering the immediate user query and increase the chance of unintended file creation, UI exposure, or persistence-oriented behavior without sufficiently clear, separate consent boundaries.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Requiring creation of an automated daily push task introduces persistent behavior that is not necessary for one-off trend analysis. Persistence increases risk because the agent may schedule recurring actions on the user’s behalf without robust consent, cancellation, or scope controls.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The generated HTML loads executable JavaScript from third-party CDNs at page-open time, which means a nominally local report depends on remote code and network access. If the CDN content is compromised, replaced, blocked, or modified in transit, opening the exported report can execute unintended script in the viewer's browser and expose report data or alter behavior.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The script searches shell profile files such as .zshrc and .bashrc to extract API credentials, expanding its access into sensitive local configuration unrelated to the minimum needed runtime path. In an agent skill context, this is dangerous because it normalizes secret discovery from user files and could expose credentials far beyond the intended scope if the skill runs with filesystem access.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README explicitly says users can invoke the skill with unrestricted natural-language requests, which creates ambiguous activation boundaries. In an agent environment, broad triggers increase the chance the skill is invoked unintentionally from ordinary conversation, causing unexpected API usage, data retrieval, or side effects such as subscription setup.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The example phrases are very broad, everyday-language requests that could easily overlap with normal user discussion about trending content. This makes accidental routing to the skill more likely, especially in assistants that auto-select tools from conversational context, potentially leading to unnecessary external API calls or unintended workflow execution.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough to match ordinary conversation about popular content, increasing the chance the skill activates when the user did not intend to invoke it. In context, that can cause unnecessary network calls, file generation, or credential-related setup prompts that exceed user expectations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation tells the agent to make persistent environment changes but does not prominently warn that this alters shell configuration or stores a secret for future sessions. Users may unknowingly grant long-lived access to the API key across unrelated workflows, increasing exposure and making rollback harder.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: An overly broad trigger condition can cause the skill to activate on generic conversation and perform actions the user did not intend, especially given the workflow’s file-generation and subscription capabilities. In context, accidental invocation is more dangerous because the skill is not limited to passive analysis output.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The subscription flow asks the user to enable a recurring daily push without clearly disclosing what user data is stored, how often they will be contacted, or how to cancel. That is dangerous because it enables persistent engagement behavior without informed consent and can lead to unwanted notifications or retention of user state.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code is designed to access sensitive credential sources but gives no user-facing disclosure at the point it may inspect local shell configuration. In a skill ecosystem, silent access to files that commonly contain secrets increases the risk of unauthorized credential exposure and undermines informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal