ClawHub

小红书达人笔记质检 for bbt

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised Xiaohongshu content checks, with caution around link fetching and user-requested wordlist edits.

Install only if you are comfortable with the agent making HTTP GET requests to public links you provide or ask it to check. Do not use it on internal/private URLs, and review any wordlist replacement or append request before allowing it because those edits persist and change future quality-check results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger for entering 'wordlist update' mode is overly broad ('synonymous requests', 'maintain/replace skill config files'), which can cause the agent to misclassify ordinary user text as authorization to modify repository files. In a skill that explicitly permits file edits, ambiguous routing increases the chance of unintended configuration tampering or prompt-induced file changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill allows direct updates to files under the skill directory without prominently warning the user that this changes repository state. That makes social-engineering and accidental persistent modification more likely, especially because the same skill also handles normal content-review requests and could be steered into state-changing actions.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The script performs a server-side fetch of a user-controlled URL with curl and follows redirects, which can be abused for SSRF-style access to internal services, metadata endpoints, or other unintended network locations. In this skill context, the feature is expected, but the lack of URL allowlisting, scheme/host validation, and user warning still makes it a real security issue rather than a false positive.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal