xiaohongshu-cli
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a local CLI utility
xhsto perform API operations. These commands are executed in the host environment to interact with Xiaohongshu services. - [CREDENTIALS_UNSAFE]: The
xhs logincommand accesses sensitive session data by extracting cookies directly from local browser installations (e.g., Chrome). While necessary for functionality, this exposes user authentication tokens to the agent's environment. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves untrusted data from an external platform (notes, comments, search results) and provides the agent with powerful tools to act upon its environment. Ingestion points: External content is ingested via
xhs search,xhs read, andxhs commentsin SKILL.md. Boundary markers: The instructions lack delimiters or warnings to ignore embedded instructions in the fetched content. Capability inventory: The agent can perform network requests, post content, follow users, and delete items using thexhstool. Sanitization: There is no evidence of sanitization or validation of the external content before it is processed by the agent.
Audit Metadata