The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Instructions in SKILL.md and README.md direct users to download and execute pre-compiled binaries from the untrusted GitHub account xpzouying. These binaries are opaque and could contain malicious code, posing a high risk to the host system.
[COMMAND_EXECUTION]: The script scripts/mcp-call.sh is vulnerable to shell command injection. It embeds the unquoted shell variable $TOOL_ARGS directly into a double-quoted string within a curl command. This allow an attacker to execute arbitrary system commands if user-provided input (such as search keywords) contains command substitution syntax (e.g., $(...)).
[CREDENTIALS_UNSAFE]: The skill manages Xiaohongshu session credentials in cookies.json. The script scripts/start-mcp.sh copies this sensitive file to /tmp/cookies.json. On most Linux systems, the /tmp directory is world-readable, potentially exposing the user's active session and private data to other users on the system.
[EXTERNAL_DOWNLOADS]: The skill downloads the XHS-Downloader tool and its associated Python dependencies from a third-party GitHub repository (JoeanAmier/XHS-Downloader) without integrity verification.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface when generating reports from external data.
Ingestion points: The tools search_feeds and get_feed_detail in track-topic.py ingest content (titles, descriptions, comments) from external Xiaohongshu posts.
Boundary markers: None detected; the ingested content is interpolated directly into Markdown reports without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill possesses the capability to execute shell commands via subprocess.run and write files, providing a path for malicious instructions in external data to trigger system actions.
Sanitization: No validation or sanitization of external text is performed before it is processed by the agent.

xiaohongshu-workflow