小红书涨粉数据

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated ranking/export/subscription purpose, but it disables HTTPS identity checks for its data source and includes contact-based notification/storage features that deserve review before use.

Install only if you accept that ranking data may be fetched without normal HTTPS identity verification. Avoid using sensitive contact details or production messaging credentials unless you understand where the local subscriptions.json and delivery configuration files are stored, and expect generated Excel/image files to be copied to the Desktop when those features run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 78% confidence
Finding: The file implements outbound email and WeChat delivery capabilities, which expand the skill beyond its stated purpose of tracking follower growth and generating ranking charts. That increases the attack surface and creates a data egress channel that could be abused to distribute scraped data or spam if the skill is invoked unexpectedly or repurposed.

Description-Behavior Mismatch

Low

Confidence: 89% confidence
Finding: The script silently creates an extra copy of the exported Excel file on the user's Desktop without explicit user consent. This exceeds the expected behavior of a normal export operation and can unintentionally disclose ranking data in a more visible/shared location, especially on multi-user systems or synced desktops.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script performs an additional filesystem side effect by copying the generated image to ~/Desktop without requiring explicit user consent and without clearly documenting that behavior in the function contract. This can leak generated content into a more visible/shared location, violate least surprise, and create privacy or operational issues in automated environments even though it is not direct code execution.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code deliberately disables TLS certificate validation and hostname checks while also omitting SNI, which removes core protections against man-in-the-middle interception and server impersonation. In a rankings-query skill, this transport bypass is not justified by normal functionality and makes all returned data untrustworthy if the network path or DNS is influenced.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The markdown promotes automatic subscription pushing but does not clearly warn that ongoing outbound notifications may be sent to configured channels and could disclose ranking data or user preferences to third-party services. Lack of disclosure increases the risk of unintended data sharing, spammy behavior, or persistent actions the user did not fully understand.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to export data to Excel and automatically save or copy files to Desktop without warning about local file creation, privacy exposure, or possible overwrites. Desktop is a highly visible shared location on many systems, so automatic writes there can leak business-sensitive data or surprise users with unintended persistence.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code sends OpenID identifiers and ranking/message content to the WeChat API without any visible consent, minimization, or disclosure controls in this component. In the context of a rankings skill, this creates a privacy and compliance risk because user identifiers and generated content are transmitted to a third party through an external messaging channel.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: By setting check_hostname to false and verify_mode to CERT_NONE, the script transmits requests over an unauthenticated TLS channel without warning the user. An attacker on the network could intercept, modify, or spoof API responses, causing false rankings data or using the skill as a conduit to communicate with an attacker-controlled endpoint.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script persists subscription records, including contact fields such as email and wechat_id, directly to a local JSON file without any notice, consent flow, minimization, access controls, or protection at rest. In the context of a subscription manager that handles user identifiers and contact details, this creates privacy and data-exposure risk if the host is shared, backups are accessible, or the file is accidentally committed or copied.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal