xiaohongshu-dashboard
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill requires the installation of
pandasandopenpyxlviapip. While these are standard and reputable libraries, they are external dependencies installed at runtime. - COMMAND_EXECUTION (LOW): The skill workflow involves executing a local Python script (
scripts/process_excel.py) to handle data processing. This is a standard operation for this type of tool. - INDIRECT_PROMPT_INJECTION / XSS (LOW): The skill ingests untrusted data from user-provided Excel files and embeds it into an HTML template.
- Ingestion points:
scripts/process_excel.pyreads data from a user-specified.xlsxfile. - Boundary markers: None are applied to the data within the Excel file.
- Capability inventory: The skill executes a Python script, writes an
index.htmlfile to the local filesystem, and opens it in the default web browser. - Sanitization: The Python script does not perform HTML escaping on the content extracted from the Excel file (e.g., titles). If the resulting JSON is injected into a
<script>tag in the HTML template without proper escaping, it could lead to Cross-Site Scripting (XSS) when the user views the dashboard.
Audit Metadata