The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The README.md and SKILL.md files provide instructions to download binary files (xiaohongshu-mcp and xiaohongshu-login) from a personal GitHub repository (xpzouying/xiaohongshu-mcp) which is not a trusted organization or well-known service.
[REMOTE_CODE_EXECUTION]: The workflow relies on executing the aforementioned downloaded third-party binaries. Running unverified executables from untrusted sources is a high-risk operation that could lead to full system compromise.
[CREDENTIALS_UNSAFE]: In scripts/start-mcp.sh, the skill copies sensitive session cookies to /tmp/cookies.json. Because /tmp is typically world-readable on Linux systems, this exposes the user's Xiaohongshu login credentials to any other user or process on the same machine.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its topic tracking feature. The scripts/track-topic.py script aggregates untrusted content from social media posts and comments into reports without sanitization or boundary markers.
Ingestion points: Data is ingested from Xiaohongshu search results via scripts/track-topic.py.
Boundary markers: No delimiters or 'ignore' instructions are present in the generate_report function to isolate untrusted content.
Capability inventory: The skill possesses capabilities to publish content and post comments using the publish_content and post_comment_to_feed tools.
Sanitization: There is no evidence of HTML escaping, content filtering, or validation for the text retrieved from external posts.

xiaohongshu-workflow