ClawHub

小红书账号诊断

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Xiaohongshu analysis skill, but it needs review because it disables HTTPS certificate checks while sending an API key and account IDs, and it can create scheduled follow-up tasks and persistent report files.

Install only if you are comfortable providing a Redfox API key, sending Xiaohongshu account IDs and related request data to Redfox, saving raw and generated reports locally, and using optional scheduled follow-ups. Before sensitive or production use, TLS certificate verification should be restored, calendar scheduling should require explicit confirmation with clear cancellation, and generated HTML reports should be treated as sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill directs the agent to create a calendar task to trigger a future push report, which expands behavior from immediate analysis into persistent scheduled action. That can cause unauthorized side effects in a user's calendar/account and creates a mechanism for deferred execution that the user may not fully understand or expect from an analysis skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This repeats the same pattern of mandating calendar-based deferred execution when no works data exists, again causing the agent to modify user state outside the immediate task. Requiring scheduling as a built-in step increases the chance of unwanted persistence and broadens the blast radius beyond simple content analysis.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template imports executable JavaScript from a third-party CDN at render time, which creates a supply-chain and availability risk for what should be a mostly self-contained local report. If the CDN is compromised, blocked, or serves altered content, anyone opening the report could execute attacker-controlled code in the page context or lose export functionality.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The workflow expands beyond passive account analysis into proactive subscription handling, delayed follow-up, and push-style report delivery. That broadens the skill's authority and creates side effects on the user's behalf, increasing the risk of unauthorized actions, surprise follow-up contact, and misuse of scheduling capabilities if user consent is unclear or loosely interpreted.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The skill automatically performs web-wide background enrichment across other platforms and media sources, which exceeds the stated purpose of analyzing a Xiaohongshu account. This can result in unnecessary collection and aggregation of personal information about the account owner without transparency or user awareness, raising privacy and scope-creep concerns.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The workflow instructs the agent to create calendar tasks for later report delivery, which is not necessary for basic account analysis and introduces an unrelated privileged action. Access to calendaring can create persistent side effects, clutter user systems, and be abused to schedule deceptive or unwanted follow-ups if confirmation and scoping are weak.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as an account-analysis tool, but it also invokes a remote sync/subscribe endpoint that triggers external data collection jobs. That is a meaningful capability expansion beyond passive analysis, and users may not realize the tool can cause third-party processing or monitoring of target accounts.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The POST helper disables both certificate validation and hostname verification, which makes HTTPS connections vulnerable to man-in-the-middle interception and response tampering. Because this function carries an API key and account-identifying data, an attacker on the network path could steal credentials or inject malicious API responses.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The docstring explicitly documents that SSL certificates are not verified, and the helper is then used as the standard client for production API requests. This confirms the insecure transport behavior is intentional in code, not an incidental test artifact, increasing the likelihood of credential exposure and tampered results.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents the need for a third-party API key but does not clearly disclose that user-supplied account identifiers and related analysis requests may be transmitted to Redfox Hub or another external service. This creates a data transparency and consent issue: users may assume analysis is local or first-party, when in fact account data and request metadata could be sent to an external provider.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs saving raw account data and generating JSON/HTML report files locally without notifying the user about storage, retention, or file locations. This is risky because account analysis data may include personal or commercially sensitive information, and silent persistence increases exposure to later leakage or misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs WebSearch to gather external background information, interviews, and cross-platform presence about account owners without a privacy disclosure or consent boundary. That broadens profiling beyond the user-supplied identifier and can aggregate personal information from multiple sources in ways the subject and user may not anticipate.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template loads html2canvas from a third-party CDN at runtime without pinning integrity or bundling a trusted local copy. If the CDN resource is tampered with, blocked, or replaced, any user opening the generated report could execute attacker-controlled JavaScript in the page context, which is more concerning here because the HTML report may contain account data and user-generated content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic WebSearch for background, interviews, and cross-platform presence aggregates data about a person or account across sources without any visible privacy notice or necessity check. Even when using public data, silent aggregation increases privacy risk and can surface sensitive or irrelevant information beyond what the user expected from an account-diagnosis skill.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The workflow directs saving structured report data and generating local HTML files without clearly informing the user that artifacts will be written to disk. This can create unintended retention of potentially sensitive account-analysis outputs and may surprise users who expected only an in-chat response.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code transmits user/account identifiers and a source label to an external service without any visible disclosure or consent mechanism in this file. In a data-analysis skill, silent transmission of identifiers to a third party creates privacy and compliance risk, especially when users may assume processing is local.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script saves raw API responses containing account and audience-related data to disk in output/raw_data.json without an explicit retention, access-control, or consent model. Local persistence increases the blast radius of sensitive data exposure through shared machines, backups, logs, or accidental file disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal