xhs-downloader
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It is designed to ingest external data from Xiaohongshu (XHS) URLs including titles, descriptions, and metadata. Simultaneously, the skill instructions provide the agent with high-privilege capabilities such as file system modification and the execution of local Python scripts.
- Ingestion points:
XHS.extract(url)insource/application/app.py(viascripts/extract_template.pyandexamples/quick_download.py) fetches untrusted content fromxiaohongshu.comandxhslink.com. - Boundary markers: Absent. The agent is not instructed to ignore or delimit instructions found within the fetched text (e.g.,
作品标题,作品描述). - Capability inventory: The skill allows the agent to write files to the disk and execute shell commands (e.g.,
python cli.py filter ...inSKILL.mdandworkflow/step3-查看结果.md). - Sanitization: Absent. There is no evidence of escaping or filtering logic for the content fetched before it is presented to the agent's context.
- COMMAND_EXECUTION (HIGH): The skill's workflow and documentation (e.g.,
SKILL.md,workflow/step2-执行下载.md) frequently direct the agent to execute Python code and shell scripts using hardcoded paths (C:\Users\admin\Projects\...). While intended for local operation, these instructions encourage the agent to run commands that could be manipulated if an attacker can influence the environment or parameters passed to these scripts. - EXTERNAL_DOWNLOADS (MEDIUM): The skill actively downloads images and videos from external domains (
xiaohongshu.com). While these are legitimate targets for a downloader, processing arbitrary URLs provided by users can lead to server-side request forgery (SSRF) or exploitation of media parsing libraries (likelxmlmentioned in the dependencies).
Recommendations
- AI detected serious security threats
Audit Metadata