The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection as it is designed to fetch and process untrusted external data.
Ingestion points: scripts/fetch_note_texts.py and scripts/export_notes.py retrieve note titles, descriptions, and comments from Xiaohongshu.
Boundary markers: None identified. Content is passed directly to output formats (JSON/Excel) likely intended for LLM consumption.
Capability inventory: The skill has broad capabilities including arbitrary network requests (requests library) and file system modification (openpyxl, media downloads).
Sanitization: There is no logic to filter or escape instructions embedded within the XHS content before it enters the agent's context.
[CREDENTIALS_UNSAFE] (MEDIUM): The skill requires Xiaohongshu session cookies for authentication.
Evidence: Instructions in SKILL.md and logic in xhs_full_cli.py encourage passing session cookies via command-line arguments (--cookie) or environment files. This exposes sensitive credentials to shell history and process monitoring tools.
[COMMAND_EXECUTION] (MEDIUM): The skill utilizes dynamic execution of JavaScript assets.
Evidence: The setup script scripts/setup_env.sh installs pyexecjs, which is used to execute the bundled JavaScript in assets/js/ for request signing. This execution of local assets, while functional, provides a vector for command execution if assets are tampered with.
[EXTERNAL_DOWNLOADS] (LOW): The setup process relies on external package repositories.
Evidence: scripts/setup_env.sh performs runtime installation of Python dependencies from PyPI and Node.js packages from npm. While these are standard sources, the reliance on remote assets during installation is noted.

xhs-search-workflow