Back to skill

Security audit

Xiaohongshu Insight

Security checks across malware telemetry and agentic risk

Overview

Review recommended: the skill presents itself as a live Xiaohongshu trend data service, but the included scripts only generate mock data.

Install only if you understand this as a demo or mock analytics tool. Do not rely on its trend reports, viral-post lists, or competitor analysis as real Xiaohongshu data unless the publisher provides a documented live data source and update mechanism; review output filenames before running exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill's invocation guidance is overly broad: phrases like 'use when users mention Xiaohongshu viral posts, post data, traffic trends, creative inspiration' can match many ordinary user requests without clearly constraining when this skill should activate. In an agent environment, this increases the chance of over-triggering the skill, causing unnecessary data access, irrelevant tool use, or unintended competitor/account analysis on loosely related prompts.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.