Back to skill

Security audit

Xiaohongshu Suggest Keywords

Security checks across malware telemetry and agentic risk

Overview

This is a narrow browser-automation skill for collecting Xiaohongshu search suggestions, with the main privacy caveat that entered keywords go to Xiaohongshu.

Install only if you are comfortable with your entered keywords being submitted to Xiaohongshu. Avoid confidential personal or business terms, and consider using a logged-out or separate browser session if you do not want the activity tied to your main account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill instructs the agent to type user-provided keywords into a third-party website, which transmits those terms to Xiaohongshu and may expose sensitive user interests or business research terms without any explicit warning or consent step. While the functionality is expected for the skill’s purpose, the lack of a privacy/data-sharing notice means users may not realize their inputs are being sent to an external service and potentially logged.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.