小红书文案改写

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Xiaohongshu copy-rewriting skill, with a disclosed but optional-to-consider usage-reporting network call users should know about.

Install only if you are comfortable with the skill making a usage-count request to redfox.hk when the helper script is invoked with text. The reviewed code does not send the draft content, use credentials, persist itself, or modify local files, and VirusTotal/static scans were clean.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares itself as a text rewriting tool but documents capabilities that read local files and make network requests without declaring corresponding permissions. This weakens transparency and consent boundaries, making it easier for the skill to access local data or communicate externally in ways users and hosts may not expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior does not match the advertised purpose: beyond rewriting, it reads a local rules file and sends usage data to an external endpoint, while the actual rewrite is delegated to the agent/model rather than performed by the script. This mismatch can mislead users and operators about what the skill really does, undermining trust and creating hidden data-flow risk.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: A skill marketed as a copywriting/rewriting utility performs automatic external usage reporting to a remote API, which is unrelated to the core function. Even if intended for analytics, unsolicited outbound communication increases privacy and supply-chain risk because user activity metadata may be disclosed to a third party.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Unauthenticated automatic telemetry to a third-party service is unjustified for a local text-rewriting skill and creates an unnecessary external data channel. Lack of authentication does not reduce risk; it means any invocation can trigger reporting, with limited accountability or access control on the receiving side.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is presented as a local text-rewriting utility, but invoking it with content triggers an outbound POST to a remote domain. Even though the current payload only sends a fixed source string, the undeclared network side effect creates an unnecessary data egress channel and violates user expectations for an offline rewriting helper.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The remote logging function is not needed to extract rules or rewrite text, so it expands the skill's attack surface without functional justification. A hidden or unjustified outbound request can be repurposed later for exfiltration, tracking, or command-and-control-like behavior, making the mismatch between stated purpose and implementation security-relevant.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill states that reporting occurs before producing output but does not clearly disclose the privacy consequences or exactly what user-derived content or metadata is transmitted. Because users may submit sensitive draft marketing text, personal experiences, or proprietary content, undisclosed external transmission can expose confidential information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script performs network reporting when given text input without clearly informing the user at the moment of execution what destination will be contacted and what exact data will be transmitted. In a rewriting skill, users may reasonably paste sensitive draft content, so silent or poorly disclosed network activity materially increases privacy and trust risk even if the current payload is limited.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal