Security audit

小红书数据分析

Security checks across malware telemetry and agentic risk

Overview

This skill is a content analytics helper that uses a supplied API key to retrieve public marketing data, with no executable code or hidden persistence found.

Before installing, confirm you trust the skill provider and understand where the XHS_API_KEY is used. Treat entered keywords, brand names, competitor names, and analysis requests as potentially sent to the provider's API, and use a scoped/revocable key if available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The README tells users to provide an API key and states that the skill will automatically retrieve related data, but it does not clearly disclose the external network access behavior, what data may be sent to third-party services, or the trust boundaries involved. This can lead users to unknowingly authorize outbound requests with their credentials and potentially expose query contents or business-sensitive inputs to an external provider.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.