Skills
skills/pearl799/openclaw-skill-xhs/xhs/Gen Agent Trust Hub

xhs

Fail

Audited by Gen Agent Trust Hub on Feb 22, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
  • REMOTE_CODE_EXECUTION (CRITICAL): The install.sh and xhs-toolkit/install_deps.py files contain a command that downloads a script from an untrusted external URL and pipes it directly into the shell for execution (curl -LsSf https://astral.sh/uv/install.sh | sh). This allows the remote server to execute arbitrary code on the host system without verification.
  • COMMAND_EXECUTION (HIGH): The xhs-toolkit/install.sh script executes commands with elevated privileges using sudo apt-get install. This is a high-risk operation that could lead to unauthorized system modifications.
  • CREDENTIALS_UNSAFE (HIGH): The skill prompts for and stores an OpenRouter API key in the agent's global configuration file (~/.openclaw/openclaw.json). Additionally, it extracts and stores Xiaohongshu session cookies in a local JSON file (~/.openclaw/credentials/xhs_cookies.json). Exposure or theft of this file would lead to complete account takeover.
  • DATA_EXFILTRATION (MEDIUM): The src/utils/image_processor.py script includes functionality to download images from arbitrary URLs provided in user inputs using aiohttp. While intended for content generation, this network capability could be abused to perform Server-Side Request Forgery (SSRF) or communicate with malicious endpoints.
  • PROMPT_INJECTION (LOW): The SKILL.md file contains instructional overrides ('IMPORTANT: All Xiaohongshu operations must use exec tool... do not use browser tool') that dictate the agent's tool selection, potentially bypassing safety features of the browser tool in favor of direct script execution.
  • INDIRECT_PROMPT_INJECTION (LOW): The skill possesses a significant attack surface for indirect injection.
  • Ingestion points: XHSDataCollector in src/xiaohongshu/data_collector/dashboard.py and fans.py scrapes trending topics and user comments from the web.
  • Boundary markers: None detected in the script logic; external data is processed directly.
  • Capability inventory: The skill uses selenium via XHSPublisher to post content and the exec tool to run Python scripts.
  • Sanitization: No sanitization or filtering of scraped web content is performed before it is passed to the AI for 'trending' analysis or content generation.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 22, 2026, 11:53 PM