md-to-xhs-cards

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The skill's documented capabilities and file/credential access are consistent with its stated purpose (rendering markdown to Xiaohongshu image cards and optionally publishing them). I find no evidence in the provided text of obfuscation, hardcoded secrets, or active malware. The main security concern is credential handling for publishing: the skill accepts cookies via flags, environment variables, or .env and will cause network egress when publishing; the actual risk depends on the implementation of scripts/publish_xhs.py and which endpoints are contacted. Users should audit the publish script and be cautious with storing cookies in .env or environment variables. Overall, the fragment appears benign for rendering; publishing introduces moderate risk if the publish implementation is untrusted. LLM verification: This SKILL.md is primarily documentation for a CLI-driven markdown-to-Xiaohongshu card converter and optional publisher. The stated capabilities align with requested inputs (markdown, local images) and outputs (image cards, manifest). There are no hardcoded secrets or obfuscated payloads in this file. The main security concerns are: unpinned pip installs (supply-chain risk), execution of an external shell script whose contents are not supplied (execution-of-arbitrary-local-code risk), and the pu