xhs-note-creator
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: A hardcoded Xiaohongshu session cookie (
XHS_COOKIE) was found in the.envfile. This exposes active session credentials and could allow unauthorized access to the associated account. - [EXTERNAL_DOWNLOADS]: The skill initiates the download and installation of the Chromium browser through Playwright (
playwright install chromiumandnpx playwright install chromium). While Playwright is a well-known service from Microsoft, it involves executing external binaries. - [COMMAND_EXECUTION]: The skill workflow involves executing multiple Python and Node.js scripts (
render_xhs.py,publish_xhs.py,render_xhs_v2.js) to process content, render images using a headless browser, and publish data to the Xiaohongshu platform. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted user data to generate Markdown content for rendering and publishing.
- Ingestion points: User-provided descriptions and source materials in
SKILL.md(Step 1). - Boundary markers: None identified; the skill does not use delimiters to isolate user input from its own instructions.
- Capability inventory: Subprocess execution via Playwright, file system writes for generated images, and network operations to Xiaohongshu APIs in
publish_xhs.pyandcomment_manager.py. - Sanitization: No evidence of sanitization or escaping was found in the scripts that interpolate content into HTML templates.
Recommendations
- AI detected serious security threats
Audit Metadata