xiaohongshu-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill exhibits a High-Tier vulnerability surface. It ingests untrusted data via
--title,--content, and--imagesarguments and possesses 'write' capabilities (posting to a real-world platform). If an attacker provides malicious content or instructions via a processed source, the agent could be manipulated into publishing unauthorized content or leaking information. - Ingestion points: CLI arguments passed to
publish_content.jsand external image URLs. - Boundary markers: None identified in the provided documentation.
- Capability inventory: Command execution (
node), network operations (Playwright), and external write operations (Xiaohongshu publishing). - Sanitization: No evidence of input sanitization or validation of the content being published.
- [External Downloads] (MEDIUM): The documentation explicitly states that
publish_content.jssupports 'HTTP/HTTPS图片链接(自动下载)'. This automatic download of arbitrary external resources can be used for Server-Side Request Forgery (SSRF) or to ingest malicious binary data into the local environment. - [Command Execution] (MEDIUM): The skill facilitates the execution of local JavaScript files (
node scripts/check_login_status.js,node scripts/publish_content.js). While this is functional, it establishes a pattern of arbitrary code execution for any agent using the skill, particularly dangerous if the local script files are modified by other processes. - [Data Exposure] (LOW): The skill stores browser session data and authentication cookies in local directories ('浏览器数据会保存在本地目录中'). While standard for automation, it creates a risk of credential exposure if the local file system is not strictly secured.
Recommendations
- AI detected serious security threats
Audit Metadata