小红书议题报告

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed public-topic report generator that searches public sources and can optionally publish the report to Feishu when configured.

Install if you want public-topic report generation across Xiaohongshu, media sources, and Twitter/X. If enabling Feishu, use a least-privileged app and confirm where generated documents or group links will go; keep browser sessions limited to content you intentionally want included in reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase uses broad language like “或类似表达时触发”, which makes activation boundaries ambiguous and can cause the skill to run on loosely related user requests. In this skill, unintended activation is more concerning because execution may invoke browser/web-search tools and publish content to Feishu, creating unnecessary data collection, external requests, or accidental document creation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal