Back to skill

Security audit

redbook-feedback-analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill has a real social-media monitoring purpose, but it over-collects raw posts, uses logged-in browser and KM access, and has an undisclosed remote LLM data flow.

Install only after confirming you are comfortable with it using a logged-in Chrome session, scraping and retaining raw Xiaohongshu content, sending post text to the configured internal LLM endpoint, and modifying a shared KM document. Narrow the keywords and date range, remove or protect hardcoded credentials, review outputs before publication, and define retention/redaction rules before scheduled use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The output stores bulk raw Xiaohongshu post bodies, URLs, locations, timestamps, likes, and comments instead of the promised summarized feedback analysis. This creates unnecessary retention and redistribution of third-party content and potentially personal or sensitive user-generated data, increasing privacy, compliance, and data-handling risk beyond the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Many retained entries are clearly unrelated to paotui product reputation analysis, such as generic兼职、抽奖、代下单、个人求助等内容. Poor relevance filtering broadens data collection far beyond the declared monitoring scope, which increases unnecessary ingestion of unrelated user content and makes downstream analysis less trustworthy.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script silently broadens the collection window from the user-requested range up to 30 days when it cannot find enough results. That creates a scope-expansion/data-minimization problem: users asking for a narrow period may unknowingly collect and analyze older posts, which can violate operator expectations, internal policy, or consent boundaries for monitoring tasks.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The help text claims support for a --date parameter that takes priority over --days, but the implementation never parses or applies it. This is a deceptive-interface/documentation mismatch that can cause operators to believe they are collecting a single intended date while the tool actually uses the default rolling window, leading to unintended overcollection.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Overly broad trigger phrases such as common-language terms can cause accidental invocation in unrelated conversations. In a skill that performs scraping, analysis, and potential document-writing, unintended activation increases the chance of unnecessary network access, data processing, and downstream content modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs inserting results at the top of a shared KM document without warning the user that existing collaborative content will be modified. In context, this is more dangerous because it targets a shared knowledge system, so unintended or repeated runs could overwrite context, spam documents, or introduce inaccurate externally derived analysis into a trusted workspace.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The keyword list includes broad terms like '跑腿' and '帮买', which match many ordinary requests unrelated to the intended monitoring target. Overbroad acquisition rules cause excessive scraping and collection of irrelevant user content, increasing privacy exposure and making the skill easier to misuse for broad surveillance or gray-market discovery.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends post titles and bodies to an external LLM API, which can expose scraped user-generated content to a third-party service without any visible consent, notice, minimization, or policy enforcement in the code. In this skill's context, the input is social-media content for sentiment analysis, so remote processing is functionally expected, but the hardcoded endpoint and headers make undisclosed data sharing more concerning rather than less.

Ssd 2

Medium
Confidence
99% confidence
Finding
This content instructs users how to bypass or manipulate platform refund processes by providing pretextual reasons and obtaining questionable supporting documents, including suggesting that verification is lax. In the context of an analysis skill, retaining and potentially surfacing such guidance normalizes fraud enablement and could facilitate policy evasion or deceptive claims.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.