xiaohongshu-workflow

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs obtaining cookie files and explicitly passing tokens (e.g., <xsec_token>) as command-line arguments and in scripts/commands, which requires embedding secret values verbatim and thus presents an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These URLs include direct downloads of prebuilt executables/archives and raw scripts hosted under relatively unknown GitHub accounts (xpzouying, JoeanAmier) and instructions to run them and extract cookies—exactly the kind of distribution/credential-exfiltration vector that is risky even if hosted on GitHub (only tampermonkey.net and the localhost endpoint are benign/expected).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public, user-generated Xiaohongshu content via the MCP API (see SKILL.md and references/api-reference.md using tools like search_feeds and get_feed_detail) and the scripts (notably scripts/track-topic.py and mcp-call.sh) parse posts and comments and use that data to generate reports and drive replies/monitoring—so untrusted third‑party content is read and can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads and installs/executes remote binaries from GitHub Releases (e.g. https://github.com/xpzouying/xiaohongshu-mcp/releases/latest/download/xiaohongshu-mcp-linux-amd64.tar.gz and https://github.com/xpzouying/xiaohongshu-mcp/releases/latest/download/xiaohongshu-login-linux-amd64.tar.gz) and also clones/uses external tooling (git clone https://github.com/JoeanAmier/XHS-Downloader.git and the raw userscript https://raw.githubusercontent.com/JoeanAmier/XHS-Downloader/refs/heads/master/static/XHS-Downloader.js) during setup/runtime, and those fetched artifacts are executed/installed and are required for the skill to function, so they constitute a high-risk runtime external dependency.