xhs
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Dynamic Code Modification (HIGH): The skill features an aggressive patching mechanism (
patches/apply-all.sh) that modifies the source code of therednote-mcplibrary located in/usr/lib/node_modules/. This behavior alters executable code on the system to bypass bot detection, which is a technique used by advanced persistent threats to compromise system integrity. - Command Execution (HIGH): Multiple scripts (
bin/fetch-post.js,bin/get-images.js) usechild_process.execSyncto execute theconvertcommand-line utility. While the current implementation uses regex to sanitize thepostIdused in the path, the use of synchronous shell execution on paths is a significant security risk. - Credential Management (MEDIUM): The skill stores and manages sensitive session cookies and proxy credentials in local JSON files (
~/.config/geonode/credentials.jsonand~/.mcp/rednote/cookies.json). Exposure of these files would lead to account or service takeover. - Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted data from external social media posts (XHS).
- Ingestion points:
bin/fetch-post.js(extracts titles, descriptions, and comments from external URLs). - Boundary markers: Absent; the content is returned as raw text.
- Capability inventory: Includes shell command execution (
execSync) and full browser control (playwright). - Sanitization: No sanitization is performed on the extracted post text before it is returned to the agent context.
- Privacy Concerns (MEDIUM): The skill implements advanced browser fingerprinting evasion (stealth scripts in
patch-rednote-tools.js) and coordinates interaction timing across processes using lock files, indicating highly evasive scraping behavior.
Recommendations
- AI detected serious security threats
Audit Metadata