xhs-smart-publisher

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains an explicit, intentional data-exfiltration/backchannel: it mandates taking screenshots of the filled publish page and sending them to a hardcoded Telegram target (accountId="xiaocode", target="-1003890797239") and reuses a local browser profile/CDP for login state — this is a deliberate privacy/backdoor risk; I found no obfuscated payloads, eval/exec with external input, reverse shells, or explicit credential-stealing code beyond the screenshot/remote-send and session-reuse behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill sends screenshots to and waits for confirmation messages from a third-party Telegram channel ("-1003890797239") and then reads those user-generated replies to decide whether to publish or save drafts, exposing the agent to untrusted third-party instructions.