The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill's documentation (SKILL.md and README.md) instructs users to download executable binaries from a third-party GitHub repository (xpzouying/xiaohongshu-mcp) which is not on the trusted vendors list. These binaries are critical to the skill's functionality.
[REMOTE_CODE_EXECUTION]: The installation process involves downloading compressed archives (.tar.gz), extracting them, granting execution permissions (chmod +x), and running the binaries as a background service (nohup). This pattern constitutes remote code execution from an unverified source.
[COMMAND_EXECUTION]: Multiple shell scripts (e.g., scripts/start-mcp.sh, scripts/mcp-call.sh, scripts/track-topic.sh) are used to wrap and execute the downloaded binaries and Python scripts. The scripts/track-topic.py script also uses subprocess.run to dynamically execute scripts from other potentially installed skills (like feishu-docs).
[CREDENTIALS_UNSAFE]: The skill requires the manual extraction and transfer of cookies.json, which contains highly sensitive session tokens for Xiaohongshu accounts. Instructions involve copying these credentials between local machines and servers, increasing the risk of exposure.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: scripts/track-topic.py fetches raw content (titles, descriptions, and comments) from Xiaohongshu feeds via the search_feeds and get_feed_detail tools.
Boundary markers: The generated reports and data processing logic do not use delimiters or instructions to prevent the agent from obeying commands embedded in the scraped content.
Capability inventory: The skill possesses capabilities to execute shell commands, write files, and perform network requests (publishing content/comments).
Sanitization: There is no evidence of sanitization or filtering of the content retrieved from the social media platform before it is presented to the AI agent or included in reports.

xiaohongshu-workflow