xiaohongshu
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
setup-xhs-mcpskill downloads external resources includingdocker-compose.ymland compiled binaries from an untrusted GitHub repository (github.com/xpzouying/xiaohongshu-mcp). - [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of unverified remote code by fetching and running Docker containers and binary releases from a third-party source at runtime.
- [COMMAND_EXECUTION]: The
setup-xhs-mcpscript executes high-risk shell commands such asdocker compose up -dand utilizescurlpiped to shell logic to install the underlying MCP service. - [DATA_EXFILTRATION]: The skill accesses sensitive local files including
~/.claude/settings.json,.claude/settings.json, and.cursor/mcp.jsonto read and modify client configuration settings. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it retrieves and processes untrusted user-generated content from Xiaohongshu (notes and comments) which could influence agent behavior.
- Ingestion points: Content is ingested via
list_feeds,search_feeds, andget_feed_detailinxhs-explore/SKILL.mdandxhs-search/SKILL.md. - Boundary markers: None; the skill does not use delimiters to isolate retrieved content from instructions.
- Capability inventory: The agent has write-capabilities including
publish_content,post_comment_to_feed, andlike_feedacross multiple sub-skills. - Sanitization: No evidence of sanitization or filtering of external social media content before it is presented to the agent model.
Recommendations
- AI detected serious security threats
Audit Metadata