xhs

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires passing full URLs containing xsec_token and relies on cookie/session tokens in CLI commands (e.g., get-content "FULL_URL_WITH_XSEC_TOKEN"), which forces the agent to read and embed sensitive tokens verbatim in generated commands — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly searches and scrapes public, user-generated Xiaohongshu (小红书) content — e.g., bin/search, bin/fetch-post.js and bin/get-images.js (via rednote-mcp and INITIAL_STATE extraction) — and the agent is expected to read and synthesize post text, comments, and images into findings, so it consumes untrusted third-party content that could carry indirect prompt injections.