write-xiaohongshu
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core workflow of ingesting untrusted data.
- Ingestion points: Uses the
get_specified_posttool to read Xiaohongshu post content/comments and Firecrawl MCP to fetch external web data in Step 1, 2, and 3. - Boundary markers: The instructions lack explicit delimiters or system-level warnings to ignore instructions embedded within the fetched search results or social media comments.
- Capability inventory: The skill has the capability to publish content to a user's Xiaohongshu account via the Xiaohongshu MCP.
- Sanitization: There is no mention of escaping, filtering, or validating the external content before it is processed by the LLM to generate the final post.
- [EXTERNAL_DOWNLOADS]: The skill performs several external network operations to retrieve data and assets.
- Web Retrieval: Uses Firecrawl MCP to fetch background information and fact-check data from arbitrary web URLs.
- Image Retrieval: Step 5 involves searching for and retrieving 1-2 high-definition images from external repositories such as Pexels or Unsplash when user images are not provided.
- [DATA_EXFILTRATION]: While the skill's primary purpose is publishing, it handles sensitive account context (checking login status and generating QR codes for authentication). While no malicious exfiltration code is detected, the combination of reading external instructions (indirect injection) and possessing write capabilities to a social media account creates a potential risk for unauthorized posting if the agent is manipulated by adversarial web content.
Audit Metadata