Xiaohongshu Data

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks for a Xiaohongshu session cookie while the included code appears to generate demo data rather than a real, auditable scraper.

Review this carefully before installing. Do not provide your main Xiaohongshu cookie unless you trust the publisher and can verify a real implementation with clear credential handling; treat the included script as demo output, use conservative limits, and avoid exporting or sharing creator profile/contact data without checking platform rules and privacy obligations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The report states that profile data was scraped from public sources and includes a creator contact handle in the bio, but it provides no warning about privacy, platform terms, consent, or downstream sharing limits. Even if the data is publicly visible, aggregating and republishing creator identity and contact information can increase unsolicited outreach, profiling, and compliance risk under platform rules or privacy laws.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal