rednote-skill
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing a series of standalone Python scripts (e.g.,
publish_note.py,comment_note.py) that utilize the Playwright library to automate browser tasks.\n- [DATA_EXFILTRATION]: Thepublish_note.pyscript includes functionality to upload local files to the Xiaohongshu platform via the--image-urlsparameter. This is a core feature for publishing content, though it creates an interface for accessing local files.\n- [PROMPT_INJECTION]: The skill consumes content from external note URLs and keywords. This content is untrusted and may contain instructions targeting the agent. \n - Ingestion points:
dump_note.pyandsearch_note_by_key_word.py. \n - Boundary markers: No delimiters or instructions to ignore embedded commands were identified in the scripts. \n
- Capability inventory: The skill has capabilities to interact with the platform (commenting, following, publishing) based on processed data. \n
- Sanitization: No sanitization or validation of the extracted content is performed.
Audit Metadata