qianfan
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The installation instructions direct users to clone a repository from an untrusted GitHub account (liuysh2/qianfan-skill). While common for community skills, it lacks the protections of verified sources.
- REMOTE_CODE_EXECUTION (MEDIUM): The documentation states that qianfan.js generates Playwright automation scripts dynamically at runtime. This dynamic execution pattern is risky if the generation logic is influenced by untrusted external data.
- DATA_EXFILTRATION (LOW): The skill operates on a live authenticated session for a merchant platform and saves screenshots of sensitive pages to /tmp/qianfan-screenshots/. While intended for agent review, this creates a local data exposure surface.
- INDIRECT_PROMPT_INJECTION (LOW): The skill has a significant attack surface for indirect prompt injection (IPI) as it scrapes and analyzes content from the Xiaohongshu seller backend and processes local JSON files.
- Ingestion points: ark.xiaohongshu.com page text and form elements, and user-provided JSON configuration files.
- Boundary markers: No explicit boundary markers or 'ignore' instructions for extracted web content are documented.
- Capability inventory: Browser navigation, element clicking, text input, file uploading (images), and screenshot capture.
- Sanitization: No sanitization or validation of the scraped web content is mentioned before it is processed by the agent.
Audit Metadata