post-comment-skill
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious code or security vulnerabilities were identified during the analysis of the skill's instructions and script.
- [DATA_EXPOSURE]: The script handles sensitive information (XIAOHONGSHU_XSEC_TOKEN) through environment variables. This is the recommended practice for managing API credentials and does not constitute a security risk within the skill's operational context.
- [INDIRECT_PROMPT_INJECTION]: The skill processes user-supplied strings for comment content. While it lacks internal sanitization, it functions as a pass-through to a backend server. Ingestion point: XIAOHONGSHU_COMMENT_CONTENT in scripts/post-comment.mjs. Capability: Network POST to MCP server. This surface is consistent with the skill's primary purpose and relies on the underlying platform's safety layers.
Audit Metadata