xhs-note-creator
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill requires the user to store a sensitive Xiaohongshu session cookie (XHS_COOKIE) in a .env file. This cookie provides full access to the user's account and is read by the publishing scripts.
- [DATA_EXFILTRATION]: The
scripts/publish_xhs.pyscript includes an API mode that transmits the session cookie and note content to a URL defined by theXHS_API_URLenvironment variable. While it defaults to localhost, the ability to send authentication tokens to a configurable remote endpoint represents a significant exfiltration risk if the configuration is influenced by an attacker. - [COMMAND_EXECUTION]: The skill relies on executing shell commands and scripts to render images (via Playwright) and publish content. This includes running Python and Node.js scripts that interact with the system and network.
- [EXTERNAL_DOWNLOADS]: The skill's setup process involves running
playwright install chromium, which downloads executable browser binaries from external servers (managed by Microsoft). While standard for browser automation, this is a download of external executable code. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes Markdown content that could originate from untrusted external sources.
- Ingestion points: Markdown files read by
scripts/render_xhs.pyandscripts/render_xhs_v2.py. - Boundary markers: None identified to delimit or protect against instructions embedded within the processed Markdown body.
- Capability inventory: The skill has the capability to perform network writes (publishing to Xiaohongshu) and local file access.
- Sanitization: No evidence of sanitization or escaping for the Markdown content before it is processed for rendering.
Audit Metadata