zhihu-cli
Warn
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Recommends the installation of
pyzhihu-clifrom an unverified third-party repository (github.com/BAIGUANGMEI/zhihu-cli) usinguvorpipx. This introduces a potential supply chain risk as the binary originates from an unknown source.\n- [CREDENTIALS_UNSAFE]: Instructions guide the manual handling of raw session cookies (z_c0,_xsrf,d_c0) via thezhihu login --cookiecommand, which can lead to accidental credential exposure in chat logs or environment history.\n- [COMMAND_EXECUTION]: The skill relies on shell commands for all operations. It specifically includes instructions for destructive actions (deleting content) using the-yflag to bypass user confirmation, which increases the risk of unintended data loss.\n- [DATA_EXFILTRATION]: The skill accesses and manages sensitive session information stored in~/.zhihu-cli/cookies.json. Access to these credentials, combined with the skill's network capabilities, represents a data exposure risk.\n- [PROMPT_INJECTION]: The skill processes untrusted external data retrieved from Zhihu, creating a surface for indirect prompt injection.\n - Ingestion points: Untrusted data enters via
zhihu search,zhihu hot,zhihu feed,zhihu question, andzhihu answercommands inSKILL.md.\n - Boundary markers: No boundary markers or "ignore instructions" warnings are present to delimit external content from system instructions.\n
- Capability inventory: The skill has powerful capabilities across multiple scripts, including
zhihu ask,zhihu pin,zhihu article,zhihu vote, andzhihu delete-*.\n - Sanitization: There is no evidence of sanitization, escaping, or validation of the retrieved content before it is processed by the agent.
Audit Metadata