Back to skill

Security audit

小红书内容分析 - 获取小红书内容表现数据

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Xiaohongshu content research CLI that uses a third-party API and saves local JSON logs, with privacy caveats but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending Xiaohongshu keywords, note URLs, and your GUAIKEI_API_TOKEN to the guaikei.com API. Treat generated log files as potentially sensitive research records, especially on shared or backed-up machines, and delete them when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The documentation claims capabilities such as competitor-account monitoring and real-time hot-search retrieval that exceed the stated manifest scope of note search and detail/comments. Scope inflation is dangerous because users and orchestrators may invoke the skill in ways that bypass intended review boundaries or cause unexpected data collection.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Although this CLI is presented as a search/read-only tool, it silently persists the full search output to a local JSON file. Search results and queried keywords may contain sensitive research topics, user-generated content, or operational data, and writing them to disk creates unintended data retention and exposure risk on shared systems or in agent environments where workspace files may later be accessed, uploaded, or indexed.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The activation condition is broad enough to trigger on generic research requests involving Xiaohongshu/RedNote, which can cause the skill to run outside clear user intent. Over-broad invocation increases the risk of unnecessary external data access and unintended collection or local storage of output.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill advertises JSON export and automatic local log storage without prominently warning users that data will be written to disk. Silent persistence can expose scraped content, URLs, and analysis artifacts to other local users, backup systems, or later unintended processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell users to obtain and set a private API token in an environment variable but do not prominently explain credential handling risks. Users may paste secrets into shared shells, commit them to scripts, or expose them through process listings, screenshots, or logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI sends the user-supplied note URL and API token to an external backend via createDetailTask/getDetailTask, but the runtime flow does not provide an explicit consent or disclosure prompt before transmission. In a content-research skill this is expected functionality, but it still creates a privacy/transparency risk because users may not realize links and associated metadata are being sent to a third-party service.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The tool persists returned detail data to a local JSON file automatically after execution, without a clear upfront warning in the CLI interface. This can expose scraped content, metadata, or user-request history to other local users/processes and may surprise users who expected only console output.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes search results to a local JSON log file without a clear user-facing disclosure at execution time, despite the tool's primary function being content search. In automation or multi-tenant agent contexts, this can leak collected data and query terms into persistent storage unexpectedly, increasing the chance of later disclosure through logs, backups, artifact collection, or other tools reading the workspace.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.