ClawHub

redbook-cards-skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent prompt/template skill for generating Xiaohongshu-style HTML cards, with the main caution that generated pages load Google Fonts from the internet.

Safe to install for creating Xiaohongshu-style HTML card pages. Review generated HTML before publishing, and replace Google Fonts with local or system fonts if you need offline output or want to avoid browser requests to Google when opening the file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
95% confidence
Finding
The prompt instructs the generated HTML to load Google Fonts from a third party, which causes browser requests to external infrastructure when the file is opened. That can leak user IP address, user agent, referrer/local usage context, and create privacy/compliance issues, especially because the output is a local HTML artifact that users may assume is self-contained.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill explicitly requires loading Google Fonts from fonts.googleapis.com, which causes the generated HTML to make external network requests when opened. This creates a privacy and transparency issue because users may believe the output is a self-contained local HTML file, while opening it leaks metadata such as IP address and user-agent to a third party.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill hard-codes Chinese typography and a Xiaohongshu-specific output style without requiring explicit user opt-in. This can cause unwanted or misleading output for users expecting generic card generation, and may create branding, localization, or compliance issues when content is repurposed for other audiences or platforms.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal