xiaohongshu-cover-generator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Prompt Injection (HIGH): The skill is highly susceptible to prompt injection. The user-provided
topicis directly substituted into multiple placeholders ({page_content},{user_topic},{full_outline}) within theSYSTEM_PROMPTinscripts/handler.ts. An attacker could provide a malicious topic string to override the system instructions. - Evidence:
const systemPrompt = SYSTEM_PROMPT.replace('{page_content}', topic).replace('{page_type}', '[封面]').replace('{user_topic}', topic).replace('{full_outline}', topic); - Indirect Prompt Injection (HIGH): As an AI skill processing untrusted external content (user topic), it meets the high-severity criteria due to its capability to perform file-system operations.
- Ingestion points: The
topicparameter inscripts/handler.ts(passed via command line arguments). - Boundary markers: Absent. The user input is merged directly with the system instructions.
- Capability inventory: Writes generated image data to the local file system using
fs.writeFileSyncinscripts/handler.ts. - Sanitization: Absent. There is no escaping or validation of the input topic before it is sent to the LLM.
- Data Exposure (LOW): The skill requires a third-party API key (
CANGHE_API_KEY) to function. While it is standard practice to use environment variables, users are directed to an external, non-whitelisted domain (api.canghe.ai) to obtain and use credentials.
Recommendations
- AI detected serious security threats
Audit Metadata