xiaohongshu-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires supplying and echoing session tokens (e.g., xsec_token) as CLI positional arguments and includes them in JSON outputs, which forces the agent to include secret values verbatim in generated commands/outputs and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill drives a Playwright browser to visit public Xiaohongshu pages (e.g., https://www.xiaohongshu.com/explore, /search_result, /user/profile and note pages) and explicitly extracts user-generated content from window.INITIAL_STATE and the DOM, then uses that data to decide and perform actions (searching, loading comments, liking, commenting, replying, publishing), so untrusted third‑party content can materially influence tool behavior and enable indirect prompt injection.