xhs-publisher
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXPOSURE_AND_EXFILTRATION]: The script
scripts/content_gen.pyreads the sensitive global configuration file at~/.openclaw/openclaw.jsonto obtain API keys and provider settings. While this facilitates integration with the user's existing environment, it grants the skill access to platform-wide credentials.\n- [INDIRECT_PROMPT_INJECTION]: The automated comment interaction feature inscripts/comments.pypresents an attack surface for indirect injection.\n - Ingestion points: Live comments are fetched from the Xiaohongshu creator platform via
scripts/comments.py.\n - Boundary markers: The prompt used to generate replies lacks delimiters or instructions to isolate the untrusted comment text from the system directives.\n
- Capability inventory: The skill can publish/delete posts and post replies using Playwright browser automation.\n
- Sanitization: No sanitization or safety filtering is applied to the retrieved comment text before it is processed by the LLM.\n- [DYNAMIC_EXECUTION]:
scripts/xhs_auto.pyutilizes Playwright'spage.evaluateandevaluate_handleto execute JavaScript within the browser context. This is used for legitimate UI automation tasks such as session validation, clicking elements, and calling platform APIs.
Audit Metadata