The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill stores sensitive Xiaohongshu session cookies in plain text files at 'data/xhs_cookie.txt' and 'data/creator_cookie.txt'. These files contain authentication tokens like 'web_session' and 'a1' that provide full access to the user's account if the skill directory is accessed by unauthorized actors or an AI agent.
[COMMAND_EXECUTION]: The skill executes the Playwright browser automation framework, which involves launching and managing Chromium processes on the host system.
[EXTERNAL_DOWNLOADS]: During setup, the skill triggers the download of the Chromium browser binary via 'playwright install'. While this comes from a trusted source, it is a significant external dependency for the execution environment.
[REMOTE_CODE_EXECUTION]: The skill makes extensive use of 'page.evaluate()' to run JavaScript within the browser context of the Xiaohongshu website. This is used for extracting data from the site's internal state and automating user actions like clicking and typing.
[DATA_EXFILTRATION]: Automated screenshots of the publishing process are saved to 'data/screenshots/'. These images may contain sensitive account details or private draft content.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes untrusted data from Xiaohongshu (notes and comments). 1. Ingestion points: External content is ingested in 'xhs_client.py' through search and note detail functions. 2. Boundary markers: No delimiters or safety instructions are used when passing retrieved content to the agent. 3. Capability inventory: The skill possesses capabilities for file system writes (cookies, screenshots) and browser automation interactions. 4. Sanitization: There is no evidence of sanitization or filtering of the retrieved text content before it is presented to the AI agent.

xhs-cli