xiaohongshu-ai-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core workflow.
- Ingestion points: Untrusted external data is crawled from Xiaohongshu and saved to
D:\xiaohongshu-crawler\output\notes_*.jsonas described inworkflow/step1-数据采集.md. - Boundary markers: While
rules/禁止事项.mdprovides negative constraints for the LLM, there are no structural delimiters or 'ignore' instructions applied to the untrusted ingested data. - Capability inventory: The ingested data is used to generate content reports (
step2), write new social media notes (step3), and create AI image generation prompts (step5). - Sanitization: No sanitization or validation of the crawled text is mentioned. Malicious instructions embedded in the crawled Xiaohongshu notes could influence or hijack the output generated in subsequent steps.
- [Command Execution] (MEDIUM): The skill requires the user to execute local Python scripts (
search_xhs.py,comfyui_generator.py) and perform directory navigation via shell commands. This creates a local attack surface that depends on the integrity of the unprovided crawler and generator scripts. - [Dynamic Execution] (MEDIUM): As documented in
rules/ComfyUI配置.mdandreferences/ComfyUI集成指南.md, the skill uses a script to dynamically modify local ComfyUI workflow JSON files at runtime. This modification of configuration data to control image generation parameters represents a dynamic execution risk.
Recommendations
- AI detected serious security threats
Audit Metadata