xhs-scraper
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The keyword parameter is directly interpolated into a python3 command string in scrape_xhs.sh. This allows an attacker to execute arbitrary system commands by including single quotes and shell commands in the keyword.
- [COMMAND_EXECUTION]: The CDP port and output file parameters are used in shell command construction without validation, allowing for further command injection opportunities.
- [PROMPT_INJECTION]: The script scrapes arbitrary content from Xiaohongshu notes and presents it to the AI without sanitization. This creates an indirect prompt injection surface where a malicious post could contain instructions to hijack the AI's behavior. Ingestion points are located in scrape_xhs.sh using browser evaluation tools, and there is no evidence of boundary markers or filtering for the scraped content.
Recommendations
- AI detected serious security threats
Audit Metadata