The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill invokes local scripts via uv run python scripts/screenshot_cover.py and scripts/generate_cover.py. It passes generated strings (like the post title) directly into these shell commands as arguments. If the AI generates content containing shell metacharacters (e.g., backticks or semicolons) due to malicious external input, it could lead to arbitrary command execution.
[EXTERNAL_DOWNLOADS] (LOW): The skill performs extensive data gathering via WebSearch and Xiaohongshu-specific MCP tools (search_feeds, get_feed_detail). This results in the ingestion of unvetted third-party data into the agent's context.
[PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It analyzes external web content and user comments to drive its 'Strategy Brief' and content generation. Malicious instructions embedded in these external sources could manipulate the agent's output or trigger the command execution vulnerability mentioned above.
Ingestion points: get_feed_detail (captures post bodies and top 10 comments), WebSearch (retrieves industry news and hot topics).
Boundary markers: Absent. The instructions do not specify using delimiters or 'ignore' instructions for the ingested data during Phase 2 or 3.
Capability inventory: uv run python (local script execution), publish_content (writing to a social platform).
Sanitization: Absent. There is no instruction to escape or validate the generated content before passing it to the shell or the publishing tool.

xhs-creator